Splunk Search

Return a set of events that occur after a specific event

Path Finder

I want to create a search that will return all of the logon failure events (based on a set of event IDs, lets say EventID 600,601,602) that occur after the last "Account Unlocked" event for a specific user.

For example, an event is logged anytime a user account is unlocked. Various events are also logged when a user fails to authenticate properly. After a certain number of failed logon attempts, an account lockout occurs.

I want to be able to specify a username and have the search go look for the last account unlock event (lets say EventID 500), then return any logon failure event (EventID 600, 601,601) that occurred for that user after the account unlock event.


Hi All,
Is there any possibility to create a unique index number while indexing because i want to search the result on behalf of last event id i read.then i will read the event greater then from that last event id.
The problem i faced is device is generating wrong date time and that time is future date time in that case our earliest and latest logic is failing. because i was storing the _time value as a last trigger date and that was future date.so i want to create a unique auto incremented row number id while indexing.
Please help!!

0 Karma

Path Finder


Thanks for your reply. I've been playing around with the transaction command this morning and am not finding success. Mainly because the event IDs I'm looking for are not in a sequence, so the startswith and endswith parameters don't seem to work for me.

For example, here is the query I am running:

source="WinEventLog:Security" <Replace with User Name> ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") OR ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") OR (EventCode=671 OR EventCode=4767 OR EventCode=4740 OR EventCode=644) | eval "Caller"=coalesce(Source_Workstation,Client_Address,Caller_User_Name) | eval "Account"=coalesce(User_Name,Logon_account,Logon_Account,User_ID,Security_ID,Target_Account_ID) | eval Description=coalesce(Error_Code_Description, KerberosFailureCode_Description,EventCodeDescription) | table _time, "Account", "Caller", EventCode, Description

This query returns a table of results for the user I specify within the timeframe specified. However, I'd rather see a table that begins with the most recent account unlock event (Actual Event Codes are: 4767 and 671) and ends with the most recent account lock event (4740 or 644). Within the timeframe of those events, I want to see all of the logon failure events for the user (4776, 680,675,672,4771).

Is that even possible in a search?

Ultra Champion

This should give you a listing of the events for user XXXX in chronological order.

sourcetype=your_sourcetype EventID=500 OR EventID=600 OR EventID=601 OR EventID=602 userID=XXXXX| reverse 

More generic (i.e. for all users) you can use the transaction command to group events by user;

sourcetype=your_sourcetype EventID=500 OR EventID=600 OR EventID=601 OR EventID=602|  
transaction userID startswith="EventID=500" 

Hope this helps,