Splunk Search

EventID - account name from 2 different events in one search

Loves-to-Learn Everything

Hi all, I'm a Splunk beginner and I'm having a hard time getting this particular search down.

My objective is to get the "Account_Name" field from 2 different event codes (4624 type 10 & 4778).  This issue is I can't figure out how to get both the 2nd instance of Account_Name for only the 4624, but the first instance of it in the 4778.  This is because windows uses the Account_Name field twice in a lot of logs, but not in some.  So I need the first Account_Name in 4778, and the second Account_Name in 4624.

Here is what I have so far.  Having trouble putting in that middle piece.

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) | eval Acct=mvindex(Account_Name,1)

***Also find "eventcode=4778" Account_Name****

| rename Acct as "Account Used on Remote Machine" 
| rename Client_Name as "Source Machine" 
| rename ComputerName as "Destination Machine" 
| timechart count by "Account Used on Remote Machine"


Labels (3)
0 Karma

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10)

This has limited your pipeline of events to just event cod 4624. What you probably need to do in include 4778 events as well

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) OR "eventcode=4778"

You now probably need to merge them into a single event in the pipeline?

You can do this with something like this

| stats count by Account_name

However, this will just give you a count of events by Account_name whether that event was a 4624 or 4778

Given that you seem to be using timechart, do you want the count of events within particular time periods?

Start with the search returning both type of events and decide what you want to do with those.

0 Karma

Loves-to-Learn Everything

I can add 4778 easy enough, the issue is since they both use different "Account_Name" fields, I get garbage trying to filter either one:


Account_Name,0 = garbage

Account_Name,1=good, what I want to collect


Account_Name,0=good, what I want to collect

Account_Name,1=does not exist in log, garbage


If I try to collect both events "Account_Name,0", I  get half junk, half good events.  It's the same trying to collect "Account_Name,1" because since "Account_Name,1" doesn't exist in the 4778, it has no information to collect and the log is filtered.


I need someway to filter out the 4624 "Account_Name,0".... Or possibly ignore it and join "Account_Name,1" with "Account_Name" from 4778.

0 Karma

| eval Account_name=if(eventcode="4624",mvindex(Account_name,1),mvindex(Account_name,0))
0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...