Search for Windows logon events for usernames matc...

ajmb · ‎07-01-2015

I want to start out with: EventIdentifier=4624 | AnomalousValue "Workstation Name"
...but this search returns an error. What am I doing wrong here? It's like Splunk doesn't know what the "Workstation Name" field is.

woodcock · ‎07-01-2015

Based on your clarification, this should work:

EventIdentifier=4624 | anomalousvalue Workstation_Name

woodcock · ‎07-17-2015

Did this work?

woodcock · ‎07-01-2015

Are you sure that it is a field? If it is, this will work, if not you need to make the field exist:

EventIdentifier=4624 | anomalousvalue $Workstation Name$

ajmb · ‎07-01-2015

It returned the field as Workstation_Name, but I've tried:

EventIdentifier=4624 | ...

AnomalousValue 'Workstation_Name'
AnomalousValue "Workstation_Name"
AnomalousValue $Workstation_Name"

every single one of these returns "Error in 'anomalousvalue' command: found no qualifying results. Please verify that the field names are correct"

ajmb · ‎07-01-2015

Well that doesn't work so I guess it isn't a 'field'. This is annoying and confusing.

The event data has a section like this...

Network Information:
Workstation Name: TestClientPc
Source Network Address: 192.168.1.247
Source Port: 52404

So what the heck do I do here? Is this something I have to use eval() for?

woodcock · ‎07-01-2015

Well obviously EventIdentifier is a field so some fields are being created. What do you get from this:

 EventIdentifier=4624 | stats first(*)

This will show you what fields do exist. Perhaps this field is being extracted as Name instead of Workstation Name.

Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!