@AL3Z - I don't know your use-case for above searches and stuff but I have combined the searches for you.

index=winsec sourcetype=XmlWinEventLog (EventCode=4743 NOT SubjectUserName="Win_Dir") OR (EventCode=4726 NOT SubjectUserName="EC_Okta") OR (EventCode=4725 NOT (SubjectUserName="EC_Okta" OR SubjectUserName="Win_Dir"))
| bin _time span=5m
| stats values(signature) as EventCodeDescription, values(TargetUserName) as TargetUserName, values(TargetDomainName) as User_Domain dc(TargetUserName) as TargetUserName_count, values(object) as User_account_deleted, dc(object) as User_account_deleted_count by EventCode, _time SubjectUserName
| eval Computer_user_deleted=if(EventCode==4743, TargetUserName, null())
| eval computeruser_count=if(EventCode==4743, TargetUserName_count, null())
| eval disabled_account=if(EventCode==4725, TargetUserName, null())
| eval disabledaccount_count=if(EventCode==4725, TargetUserName_count, null())
| eval src_user=if(EventCode=4725 OR EventCode=4726, SubjectUserName, null())
| eval Deleted_by_User=if(EventCode=4734, SubjectUserName, null())
| where computeruser_count > 10 OR User_account_deleted_count > 10 OR disabledaccount_count > 10

I hope this helps!! Kindly upvote if it does!!!

.

@AL3Z - Splunk_TA_windows Add-on is for field extraction.

A query if 100 systems gets deleted in a span of 1 minute.

index=wineventlog EventCode=4726 
| table _time, ComputerName, Subject_Account_Name, Target_Account_Name
| bin span=1m
| stats count, values(Target_Account_Name) as deleted_accounts, values(Subject_Account_Name) as admins by _time
| where count>100

I hope this helps!!! Kindly upvote/karma if this helps!!!

@VatsalJagani ,

If in that one sec let say 10 computers deleted we will not be able to get that right?

@AL3Z - of course not, that's a different logic right.!