Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Correlate userid to username
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correlate userid to username
Splunkers,
The following search returns user lockouts:
index=winevents EventCode=4740
I have a user field which is "abc1234".
The following search returns a target_user field "First Last (userid)"
index=msad sourcetype=ActiveDirectory
| eval target_user = givenName." ".sn." (".sAMAccountName.")"
How can I combine these searches to produce a field that would let me display:
First Last (userid) and Account Lockouts in a single table?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pseudocode for that is as follows:
(your search that gets the lockout events)
OR
(your search that gets the MSAD events)
| fields ... list all (and ONLY) the fields you need from either type of record...
| rename COMMENT as "set up a single named key to match the records, and create the target_user data"
| eval cn=concatenate(cn,"Account Name")
| eval target_user = givenName." ".sn." (".sAMAccountName.")"
| rename COMMENT as "roll the target_user data from the MSAD to the lockout records, then drop the MSAD records"
| eventstats values(target_user) as target_user by cn
| where (the record is a lockout record)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have some example events we can look at? You may need to do a join.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lockout event: - I've taken out the irrelevant data
07/12/2018 11:16:16 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
Message=A user account was locked out.
Account That Was Locked Out:
Account Name: abc1234
MSAD Event - I've taken out the irrelevant data
07/12/2018 11:31:04.229
Names:
name=kfp1234
displayName=Kenny Powers
distinguishedName=CN=kfp1234
givenName=Kenny
sn=Powers
cn=kfp1234
Object Details:
sAMAccountName=kfp1234
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. So, in the Lockout Event, the Account Name: abc1234, will that match to either the name, cn, or sAMAccountName?
If yes, you can do a join and then a sub query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that way. Could you help me with the SPL?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this will work
index=winevents EventCode=4740
| rename "Account Name" as cn
| join cn
[search index=msad sourcetype=ActiveDirectory]
| table _time givenName sn cn Message
I'm renaming Account Name to cn so the join will work.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
