Searching for an Event that occured before a Spec...

Simple_Search · ‎09-24-2020

Windows does not provide an accurate user who performed an audit policy change on the system (EventCode 4719), it lists System versus the logged in user. I would like to identify EventCode=4719 as the primary event and then search for the closest EventCode=4624 prior to when EventCode=4719 occurred.

I have been checking the splunk community page and google to look for something that meets the need. I cannot seem to grasp this concept and would appreciate the help!

ITWhisperer · ‎09-24-2020

-- your search including (EventCode=4719 OR EventCode=4624)
| streamstats window=2 earliest(EventCode) as previousEventCode earliest(_raw) as previousEvent 
| where EventCode = 4719 AND EventCode != previousEventCode 
| table previousEvent

Simple_Search · ‎09-24-2020

Appreciate the quick response to this! It did return some results but with a multi-machine environment (which I did not disclose) did not return what I was anticipating. I made some modifications and here is what I would like to see....

For each 4719 Event from 100's of machines

Hostname

Time of Event for 4719

Message from 4719

Time of Event for 4624

Message from 4624

Searching for an Event that occured before a Specific Event

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation