Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Query For Admin Who Unlocked Account

k45bryant
New Member
‎05-14-2019 08:55 AM

Hello All,

I created a query that looks for event 4767 (A user account was unlocked) and it returns the date/time of the event, the Administrator (Account_Name) who unlocked the account and the user who's account was unlocked. The problem is that it also lists the user's account under the "who unlocked the user" column. I think the query is pulling that information from the Target Account --> Account Name field. How do I exclude that from my results?

Here is my query:

index="wineventlog" EventCode=4767 user=$users$ | stats count by _time, Account_Name, user | fields - count | sort - _time
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aromanauskas
Path Finder
‎05-14-2019 12:52 PM

Your answer is in the already extracted fields.

index="wineventlog" EventCode=4767 user=$users$ | stats count by _time, src_user, user | fields - count | sort - _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aromanauskas
Path Finder
‎05-14-2019 12:52 PM

Your answer is in the already extracted fields.

index="wineventlog" EventCode=4767 user=$users$ | stats count by _time, src_user, user | fields - count | sort - _time

0 Karma
Reply
Solved! Jump to solution

k45bryant
New Member
‎05-14-2019 12:58 PM

That worked! Thank you soooo much. You ROCK!

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎05-14-2019 10:02 AM

can you share some sample events?

0 Karma
Reply
Solved! Jump to solution

k45bryant
New Member
‎05-14-2019 10:05 AM

Are you asking for the results after I run my query? I am not sure what you mean by sample events. Can you clarify your question?

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎05-14-2019 10:06 AM

the data on which you are performing search

0 Karma
Reply
Solved! Jump to solution

k45bryant
New Member
‎05-14-2019 10:16 AM

Sure. Here you go:

5/13/19
3:50:35.000 PM

05/13/2019 03:50:35 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4767
EventType=0
Type=Information
ComputerName=x.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=xxx
Keywords=Audit Success
Message=A user account was unlocked.

Subject:
Security ID: xxx
Account Name: xx
Account Domain: LANS
Logon ID: xx

Target Account:
Security ID: xx
Account Name:xx
Account Domain: LANS
Collapse
host = xx source = WinEventLog:Security sourcetype = WinEventLog:Security src_user = xx user = xx

0 Karma
Reply
Solved! Jump to solution

k45bryant
New Member
‎05-14-2019 11:46 AM

I am a newbie to splunk and have no idea how to apply regex to my query. Can you help me?

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎05-14-2019 11:25 AM

you will have to apply some regex to get the Account Name fields for user(based on target account name) and Admin (based on Subject Account Name)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...