Dashboards & Visualizations
Highlighted

How can I search on a dashboard for all events related to a specific individual?

New Member

How can I search on a dashboard for all events related to a specific individual?

I am trying to find the syntax for finding a given event that relates to a particular user.

Eg:

index=winevents-j OR index=msad* sourcetype=wineventlog:* EventCode="4625" OR Event="4625" +

I have searched this site and the web, with no luck (so far).

Thanks.
Mac

0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

Splunk Employee
Splunk Employee

Hi @mac81

Thanks for posting! Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue.

0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

Champion

You really do need to elaborate here.
You do realize that asking 1 liner questions like this, with no context with your events, dashboard or drop downs gives us very very little chance of looking at your issue?

0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

New Member

I apologize.

I am trying to find the syntax for finding a given event that relates to a particular user.

Eg:
index=winevents-j OR index=msad* sourcetype=wineventlog:* EventCode="4625" OR Event="4625" +

0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

New Member

I can see the 4625 log fields at
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
but I still am unable to find the right syntax for this simple query.

0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

Influencer

Try-

index=winevents-j OR index=msad* sourcetype=wineventlog:*  4625
0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

New Member

Thanks, but I am trying to be able to search by a unique user name, or prefix.

Like index=winevents-j OR index=msad* sourcetype=wineventlog:* 4625 Account_Name=

But no matter how I try this, it fails. I have searched the web, and this site, with no luck.

When I do an unlimited search (sans Account Name), I find plenty of entries, including svc account entries. But when I try to use something like ... Account_Name=svc* that fails, too.

0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

Champion
index=winevents-j OR index=msad* sourcetype=wineventlog:* 4625 | where Account_Name="*svc*"
0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

New Member

Thanks.
Sorry, but that does not work.
index=winevents* OR index=msad* sourcetype=wineventlog:* 4625 produces lots of logs, including several where the account name starts with svc.
But, for some reason,
index=winevents* OR index=msad* sourcetype=wineventlog:* 4625 | where Account_Name="svc"
does not produce anything. I will keep working on this.

0 Karma
Highlighted

Re: How can I search on a dashboard for all events related to a specific individual?

Champion

there is no way that you have a field called AccountName that contains svc that does not produce events with
index=winevents OR index=msad* sourcetype=wineventlog:* 4625 | where Account
Name="svc"
Key things to check:
Is it svc or do you have trailing spaces?
Can you see the field AccountName in the left hand side auto extracted fields?
You mention account name staring with svc, now that won't work with | where Account
Name="svc"
| where AccountName="svc" maps to AccountName containing svc as in xxxsvcyyyy
If account name starts with svc, use
|where AccountName="svc*"
You piped a where with Account
Name="svc", this will search for an exact match and not account names starting with svc or containing svc for which * is needed

0 Karma