Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I search on a dashboard for all events related to a specific individual?

mac81
New Member
‎10-02-2018 09:06 AM

How can I search on a dashboard for all events related to a specific individual?

I am trying to find the syntax for finding a given event that relates to a particular user.

Eg:

index=winevents-j OR index=msad* sourcetype=wineventlog:* EventCode="4625" OR Event="4625" +

I have searched this site and the web, with no luck (so far).

Thanks.
Mac

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎10-08-2018 08:53 PM

Okay, here's how you make something like this work.

First, you take your own userid, and search various indexes for your id for times you knew you were doing things you want to detect. this allows you to verify the format for the records, and what the exact field name is for the userid.

Second, poke around and find all your own records across that same time frame. Search for records with the same IP address at the time you had it, for example. There may be various forms of your userid, or there may be record types that don't use the userid, but use some other identifying feature.

Third, craft a single search that will find all your records that you discovered.

Fourth, replace your id with someone else's and validate the search

Fifth, build that into a dash, and validate that it still works on your target ids.

0 Karma
Reply

mac81
New Member
‎10-02-2018 10:55 AM

I apologize.

I am trying to find the syntax for finding a given event that relates to a particular user.

Eg:
index=winevents-j OR index=msad* sourcetype=wineventlog:* EventCode="4625" OR Event="4625" +

0 Karma
Reply

mac81
New Member
‎10-02-2018 01:19 PM

I can see the 4625 log fields at
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
but I still am unable to find the right syntax for this simple query.

0 Karma
Reply

Vijeta
Influencer
‎10-02-2018 01:31 PM

Try-

index=winevents-j OR index=msad* sourcetype=wineventlog:*  4625
0 Karma
Reply

mac81
New Member
‎10-02-2018 02:01 PM

Thanks, but I am trying to be able to search by a unique user name, or prefix.

Like index=winevents-j OR index=msad* sourcetype=wineventlog:* 4625 Account_Name=

But no matter how I try this, it fails. I have searched the web, and this site, with no luck.

When I do an unlimited search (sans Account Name), I find plenty of entries, including svc account entries. But when I try to use something like ... Account_Name=svc* that fails, too.

0 Karma
Reply

Sukisen1981
Champion
‎10-03-2018 10:21 AM 
index=winevents-j OR index=msad* sourcetype=wineventlog:* 4625 | where Account_Name="*svc*"
0 Karma
Reply

mac81
New Member
‎10-04-2018 10:20 AM

Thanks.
Sorry, but that does not work.
index=winevents* OR index=msad* sourcetype=wineventlog:* 4625 produces lots of logs, including several where the account name starts with svc.
But, for some reason,
index=winevents* OR index=msad* sourcetype=wineventlog:* 4625 | where Account_Name="svc"
does not produce anything. I will keep working on this.

0 Karma
Reply

Sukisen1981
Champion
‎10-04-2018 10:28 AM

there is no way that you have a field called Account_Name that contains svc that does not produce events with
index=winevents OR index=msad* sourcetype=wineventlog:* 4625 | where Account_Name="svc"
Key things to check:
Is it svc or do you have trailing spaces?
Can you see the field Account_Name in the left hand side auto extracted fields?
You mention account name staring with svc, now that won't work with | where Account_Name="svc"
| where Account_Name="svc" maps to Account_Name containing svc as in xxxsvcyyyy
If account name starts with svc, use
|where Account_Name="svc*"
You piped a where with Account_Name="svc", this will search for an exact match and not account names starting with svc or containing svc for which * is needed

0 Karma
Reply

mac81
New Member
‎10-04-2018 10:59 AM

Thanks.
Yes, I tried every possible combo.
| where Account_Name="svc"
| where Account_Name="svc*"
| where Account_Name="svc"
| where Account_Name="*svc"

If I take out the pipe and where clause, I see lots of svc... accounts.
So, no luck.

0 Karma
Reply

mac81
New Member
‎10-05-2018 08:10 AM

It is svc with no trailing spaces.

Can you see the field Account_Name in the left hand side auto extracted fields?
I see Account Name in the results.
Thanks.

0 Karma
Reply

Sukisen1981
Champion
‎10-02-2018 09:36 AM

You really do need to elaborate here.
You do realize that asking 1 liner questions like this, with no context with your events, dashboard or drop downs gives us very very little chance of looking at your issue?

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-02-2018 09:35 AM

Hi @mac81

Thanks for posting! Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...