Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard?

dhrechkosy
Explorer
‎02-17-2017 09:35 AM

I am setting up dashboards for certain Active Directory security events for Splunk Light. When I search, for example, all accounts enabled and disabled it shows x2 values for "Account_Name". One is Subject and the other is Target (obviously), is there a way to filter out the "Subject" when I try to sort this search into a visualized chart? I want the outcome graph/chart to display only the Target accounts that were enabled/disabled and not display the user account who did it.

E.g.,

"Date" "Time"

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName= 
TaskCategory=User Account Management
OpCode=Info
RecordNumber=118575896
Keywords=Audit Success
Message=A user account was enabled.

Subject:
    Security ID:                "SID"
    Account Name:              "account-name"
    Account Domain:          "domain"
    Logon ID:                  "logon-id"

Target Account:
    Security ID:                "SID"
    Account Name:              "account-name"
    Account Domain:          "domain"

Thanks,
Devyn

0 Karma
Reply

woodcock
Esteemed Legend
‎02-18-2017 04:03 PM

Do your own field extraction and use that instead of the "free" ones, like this:

... | rex "(?ms)[\r\n]+EventCode=4722.*[\r\n]+Target Account:[\r\n]+\s+Security\s+ID:\s+\"?(?<MyTargetID>[^\"]+)\"?[\r\n]"
0 Karma
Reply

rbittner_splunk
Splunk Employee
Splunk Employee
‎02-17-2017 10:23 AM

Thanks! Are the Target Account and Subject different events? In short if they are different events then you should be able to filter them out before your run the stats command.

0 Karma
Reply

dhrechkosy
Explorer
‎02-17-2017 11:24 AM

The target account name and subject account name are part of the same event (if you look at the example above).

It logs which user performed the action and which user the action was being performed on.

I was hoping there was a way to filter out the "Subject Account Name" and have the chart sorted by "Target Account Name" only.

0 Karma
Reply

rbittner_splunk
Splunk Employee
Splunk Employee
‎02-17-2017 12:08 PM

There is a way to do this but will have to ask smarter Splunkers for some tips.

0 Karma
Reply

rbittner_splunk
Splunk Employee
Splunk Employee
‎02-17-2017 09:45 AM

Can you post the search that you are using to drive this chart? That will make it easier to figure out how to get the result you want.

0 Karma
Reply

dhrechkosy
Explorer
‎02-17-2017 10:04 AM 
source="wineventlog:security" EventCode=4722 OR EventCode=4725  | stats count by Account_Name
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...