Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- best practice multiple eventID 4624 for one logon
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i try to identify how often a user account was loged on. the problem is that the DC generates multible 4624 in very short time (different processes?). is there any best practice soltion to get a correct number of logon events? there are some topic whit that question but i cant find any useable solution.
i tryes with | debuc Logon_GUID but that dont work 😞
sourcetype="WinEventLog:Security" EventCode=4624| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)| eval Account_Domain=if(Account_Domain="-", (mvindex(Account_Domain,1)), Account_Domain)| dedup Logon_GUID | chart count by Account_Name | sort - count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For my environment I was able to do this:
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer
The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)
So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer
OR
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName
Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For my environment I was able to do this:
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer
The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)
So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer
OR
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName
Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
