Splunk Search

Several user logon event for same host

a_n
Path Finder

Hi,

I have Splunk on Windows network, and using UF for windows events.

I am searching to detect users logon during specific hours: 
index=main source="WinEventLog:Security"EventCode=528 OR EventCode=540 OR EventCode=4624
|where Logon_Type!=3 OR (Logon_Type=3 AND NOT LIKE(host,"DC%"))
| eval Signed_Account=mvindex (Account_Name,1)
|eval hour=strftime(_time,"%H")
| eval ShowTime=strftime(_time,"%D %H:%M")
| search Signed_Account=TThemistokleous (hour>23 OR hour<6)
| table host ShowTime Logon_Type

Issue is, in result, I have for Same HOST, on Same TIME, 2 users signed on. AND Each signed on 4 times!

Can someone please advise, what can be the issue?
Thank you

Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| dedup host,Signed_Account,EventCode,_time

View solution in original post

a_n
Path Finder

Dear @ITWhisperer 
 Thank you for your response.
As for the where clause, I agree.
date_hour does not hold the data, hour field is ok.
we need to now about working in forbidden hours, which is after 11 PM until 6 AM.

The result I have has same hostname, same event code 4624.
This is main search I have with results attached:
index=main source="WinEventLog:Security" EventCode="4624" OR EventCode="539" OR (EventCode="529" AND EventCode="537") OR (EventCode="547" AND EventCode="549")
|where (Logon_Type!=3 OR ( NOT LIKE(host,"DC%"))) AND Logon_Type!=9
| eval Signed_Account=mvindex (Account_Name,1)
|eval hour=strftime(_time,"%H")
|regex Signed_Account!="\$"
| search Signed_Account=* Signed_Account!="SYSTEM" Signed_Account!="ANONYMOUS LOGON" Signed_Account!="Administrator" (hour>23 OR hour<6)
| table host,Signed_Account,EventCode,_time

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How does date_hour not hold the information, it is derived from _time automatically, is it not?

Can you give me an example of a time that is after 11pm where the hour is greater than 23?

You should examine the "duplicate" events to see is they really are duplicates e.g. the _raw is identical, which might point to a problem with the ingesting of the events. Do the duplicates come from different indexers (assuming you have them)?

0 Karma

a_n
Path Finder

Ah, yes. Now I got your point regarding the time.
I will handle it, thank you.

Back to main issue:
- I have one indexer only.
- I compared 2 problematic events. the only differences are:
Logon ID:  (0x32E964BA , 0x32E964D4)
Source Port: (54833,54835)

What is the solution? How to ignore these?

Thank you again

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| dedup host,Signed_Account,EventCode,_time

a_n
Path Finder

Thank you,
It works, however I am still worried that I may lose some events.

Thank you very much for your help.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Since the alternative to Logon_type!=3 is Logon_type=3, this part is redundant in the where clause i.e.

|where Logon_Type!=3 OR NOT LIKE(host,"DC%")

You may find date_hour already holds the hour so you might be able to use that rather than creating another field with the same information in.

When is hour ever going to be greater than 23? The hours are 0 - 23 inclusive.

Your table command does not include the EventCode, and your times are at the minute scale - is it possible that the "extra" events are for different EventCodes within the same minute?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...