Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a search for Event id 4742 (-30 Days)?

Freeza
Explorer
‎06-01-2023 05:49 PM

hi team,
I'm creating a query that I need to look for if a machine changed the password (Password_last_set) more than once for a period of 30 days. I'm not getting it, can you help me? example: if I put the code below with earliest=-90d it brings me the 3 changes. more if I put | search count > 1 it doesn't gather the information and doesn't bring me the statistics.

some help me?

 

Query: (Dont Work)

index="main" source="wineventlog:security" EventCode=4742 user="TRBK8SPRD06$"
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) by Password_Last_Set, user, signature

| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(firstTime) | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(lastTime) |  search count > 1

WORK:

index="main" source="wineventlog:security" EventCode=4742 user="TRBK8SPRD06$"
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) by Password_Last_Set, user, signature

| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(firstTime) | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(lastTime)

thanks in advanced

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2023 10:13 PM

Try where instead of count

| where count > 1

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2023 10:13 PM

Try where instead of count

| where count > 1
Reply
Solved! Jump to solution

Freeza
Explorer
‎06-02-2023 04:50 AM

hi bro, 

it worked, for those who want to use or improve.

index="main" source="wineventlog:security" EventCode=4742 user="hostname$"
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) as machines by user, signature
| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(firstTime) | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(lastTime) | where count > 1

 

thanks in advanced

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...