Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter the subject account name in the event log below as those other than admin?

realkazanova1
Loves-to-Learn
‎11-29-2022 05:22 AM

I want to filter the Subject Account Name in the Event log below as those other than Admin. So I want to see the cases where this log appears outside of the Admin. How can I do it ?

 

 

11/29/2022 12:23:16 PM
LogName=Security
EventCode=4738
EventType=0
ComputerName=dc.windomain.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=247213
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was changed.

Subject:
	Security ID:		S-1-5-21-4236582264-665789389-1555517817-1000
	Account Name:		Admin
	Account Domain:		WINDOMAIN
	Logon ID:		0x59B44

Target Account:
	Security ID:		S-1-5-21-4236582264-665789389-1555517817-1324
	Account Name:		aleda.billye
	Account Domain:		WINDOMAIN

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2022 05:29 AM

Hi @realkazanova1,

you have to run a simple search like this:

index=wineventlog EventCode=4738 Account_name!="admin"

put attention if you have the Account_name field or another one.

If you don't have the correct field extractions, you have to install in your Search Head the Splunk_TA_Windows Add-on (https://splunkbase.splunk.com/app/742) to correctly parse your data.

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...