I'm looking to create a view of the number of user accounts that have been created in the domain in the past 24 hours. Here is my query, and my timeframe is last 24hrs.
sourcetype="WinEventLog:Security" AND EventCode=4720
The view that comes back is very abbreviated, I have to click show all 50 lines to get at the info I need. What I would like to see is the date, time, server, the user who created the account, and the created account name. This is trivial for me to do in powershell, but I'd like to have a nice dashboard that shows this for more users than just myself.
sourcetype="WinEventLog:Security" AND EventCode=4720 | eval AccountCreator=mvindex(Account_Name,0) | eval AccountCreated=mvindex(Account_Name,1)| table _time, host, AccountCreator, AccountCreated
The mvindex command will pull the values out for you into a new field name you create.
That is pretty awesome thanks! I also spoke with Darryl Burns from Splunk and his solution was to pipe the query through xmlkv, this maps out the underlying XML from Windows so Splunk can see those sub fields.
sourcetype="WinEventLog:Security" AND EventCode=4720| xmlkv
But I really like how you laid that out in table format!
Account Name is, but with this particular event there are multiples of that, the first one is the account name used to create the second account name 😉 so, I would like pull in SAM Account Name, that doesn't appear to be a thing.
Right. You might need to learn some regex-fu in order to be able to tell Splunk how to recognize your fields properly. For Windows event logs though, there's a bunch of extractions already in there that should be applied. Such as Account_Name for instance.
I think what I want is to do field extraction, and ideally I would like to extract SAM Account Name, but when I do that in the field extraction page, it tells me that, "No regex could be learned. Try providing different examples or restriction"
Sorry it's been so long since I've gotten back to this, but here is an example of what this event looks like.
4720 is the first example and you can see how it looks, when I click show the next 50 lines, basically that is what I see. I'm trying to extract just the pertinent information that I specified in the original post.
That's weird. Normally Windows events are extracted nicely. Is it not extracted at all or is it a multivalued field (i.e. there are two fields in _raw that are called "Account Name" or something similar)?
Please update your original question with a sample event. mask ip-addresses, hostnames etc as needed.
I get that, but I think the disconnect is that field1-3 only appear to live in the _raw data of the event. If you open up an event in the eventviewer, this is the data contained in the window that describes the event, such as a new user was created...does that make sense?
you are aware of the
table search command?
sourcetype=WinEventLog:Security EventCode=4720 | table _time host field1 field2 field3
The AND is implicated, and not needed in the search.