Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Create a table in my search when I enable/disa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a table in my search when I enable/disable account but not when I create account.
Hello guys,
I have a question about a query search. I have two queries associated with Windows.
My first query is:
"EventCode=624" "Message="User Account Created"" | table _time New_Account_Name Caller_User_Name
Second query is:
EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled" | table Target_Account_Name Caller_User_Name _time
My problem is: When my costumer create a new account in Active Directory, it is creates two events - the First event is "624" - "User Account Created", and the other event is "642" "User Account Enable". So, I just need to visualize only ENABLE accounts (EVENT 642),when it is enable(not create) an account in AD.
The _time field is equal in both events, because these events are created simultaneously.
Thanks,
DF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I understand the requirement, there are two scenario
Where a new account is created, two events (with same timestamp) is written
EventCode=624 Message="User Account Created"
and
EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled"When an account is enabled (just enable, not create), one event is written
EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled"
and what you wish is the create table for events created for scenario 2 (account enable only)
If this is correct, you can use following.
(EventCode=624 Message="User Account Created") OR (EventIdentifier=642 "User Account Changed" "User Account Control" "Account Enabled" ) | rename New_Account_Name as Account_Name | rename Target_Account_Name as Account_Name| stats count by Account_Name, Caller_User_Name,_time | where count=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might work. Maybe. The dedup command will choose the most recent event, so I’m not sure what will happen if both events have the same time – order of search discovery perhaps?
EventCode=642 OR EventCode=624 | search Message="*User Account Changed*" OR Message="*User Account Control*" OR Message="*Account Enabled*" OR Message="*User Account Created*" | dedup _time | table Target_Account_Name Caller_User_Name _time
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
