Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create a table in my search when I enable/disable account but not when I create account.

dfigurello
Communicator
‎10-03-2013 02:08 PM

Hello guys,

I have a question about a query search. I have two queries associated with Windows.

My first query is:
"EventCode=624" "Message="User Account Created"" | table _time New_Account_Name Caller_User_Name

Second query is:
EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled" | table Target_Account_Name Caller_User_Name _time

My problem is: When my costumer create a new account in Active Directory, it is creates two events - the First event is "624" - "User Account Created", and the other event is "642" "User Account Enable". So, I just need to visualize only ENABLE accounts (EVENT 642),when it is enable(not create) an account in AD.

The _time field is equal in both events, because these events are created simultaneously.

Thanks,

DF

Reply

somesoni2
Revered Legend
‎10-06-2013 08:15 AM

As far as I understand the requirement, there are two scenario

  1. Where a new account is created, two events (with same timestamp) is written
    EventCode=624 Message="User Account Created"
    and
    EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled"

  2. When an account is enabled (just enable, not create), one event is written
    EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled"

and what you wish is the create table for events created for scenario 2 (account enable only)
If this is correct, you can use following.

(EventCode=624 Message="User Account Created") OR (EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled" ) | rename New_Account_Name as Account_Name | rename Target_Account_Name as Account_Name| stats count by Account_Name, Caller_User_Name,_time | where count=1

Reply

lukejadamec
Super Champion
‎10-03-2013 03:34 PM

This might work. Maybe. The dedup command will choose the most recent event, so I’m not sure what will happen if both events have the same time – order of search discovery perhaps?

EventCode=642 OR EventCode=624 | search Message="*User Account Changed*" OR Message="*User Account Control*" OR Message="*Account Enabled*" OR Message="*User Account Created*" | dedup _time | table Target_Account_Name Caller_User_Name _time
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...