I'm looking to create a view of the number of user accounts that have been created in the domain in the past 24 hours. Here is my query, and my timeframe is last 24hrs.
sourcetype="WinEventLog:Security" AND EventCode=4720
The view that comes back is very abbreviated, I have to click show all 50 lines to get at the info I need. What I would like to see is the date, time, server, the user who created the account, and the created account name. This is trivial for me to do in powershell, but I'd like to have a nice dashboard that shows this for more users than just myself.
sourcetype="WinEventLog:Security" AND EventCode=4720 | eval AccountCreator=mvindex(Account_Name,0) | eval AccountCreated=mvindex(Account_Name,1)| table _time, host, AccountCreator, AccountCreated
The mvindex command will pull the values out for you into a new field name you create.
this was driving me crazy. thanks!
Your question gave me the excuse to actually reprogram one of my dashes to correctly view authentications on a windows NPS server.
That is pretty awesome thanks! I also spoke with Darryl Burns from Splunk and his solution was to pipe the query through xmlkv, this maps out the underlying XML from Windows so Splunk can see those sub fields.
sourcetype="WinEventLog:Security" AND EventCode=4720| xmlkv
But I really like how you laid that out in table format!
Here is where I went.
http://regexhero.net/tester/
So I went to an online regex checker, pasted in the contents of the event, and just typed in SAM Account Name: as the search, and that worked.
Account Name is, but with this particular event there are multiples of that, the first one is the account name used to create the second account name 😉 so, I would like pull in SAM Account Name, that doesn't appear to be a thing.
Right. You might need to learn some regex-fu in order to be able to tell Splunk how to recognize your fields properly. For Windows event logs though, there's a bunch of extractions already in there that should be applied. Such as Account_Name for instance.
I think what I want is to do field extraction, and ideally I would like to extract SAM Account Name, but when I do that in the field extraction page, it tells me that, "No regex could be learned. Try providing different examples or restriction"
That sounds right, but when I try to do that, it doesn't work, or more likely I don't know what I'm doing wrong. How would I do that?
You can grab whatever fields you want to see and create a table of that. Is that what you want?
Sorry it's been so long since I've gotten back to this, but here is an example of what this event looks like.
4720 is the first example and you can see how it looks, when I click show the next 50 lines, basically that is what I see. I'm trying to extract just the pertinent information that I specified in the original post.
Thanks,
That's weird. Normally Windows events are extracted nicely. Is it not extracted at all or is it a multivalued field (i.e. there are two fields in _raw that are called "Account Name" or something similar)?
Please update your original question with a sample event. mask ip-addresses, hostnames etc as needed.
correct. its also not formatted terribly well either...sigh
Sorry, I don't use eventviewer much. Do you mean that the information you want is not being extracted into fields?
I get that, but I think the disconnect is that field1-3 only appear to live in the _raw data of the event. If you open up an event in the eventviewer, this is the data contained in the window that describes the event, such as a new user was created...does that make sense?
you are aware of the table
search command?
sourcetype=WinEventLog:Security EventCode=4720 | table _time host field1 field2 field3
The AND is implicated, and not needed in the search.
/K