Splunk Search

Value of Field A = Value of Field B

usernamen6213
Engager

Hi Everyone, 

First time using Splunk Community. I have been working with Splunk for about a year and I've been doing okay but I'm trying to use Active Directory logs to identify when accounts are created. I was looking for ways to do this. I tried using userAccountControl or pwdLastSet=0 but what I thought was a sure thing was to use uSNCreated=uSNChanged. But when I add that to the search, I get no result even though I can see that the original creation record has the same value for both. 

 

Any suggestions are greatly appreciated. Thank you!

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

I suppose you're trying to add simple fielda=fieldb condition to your search. It won't work. Search conditions match against a pre-defined values or sets of values. To match complicated conditions (including dynamic ones, like comparing different fields) you need a "where" command. Like:

index=a source=b field="whatever" ...
| where fielda=fieldb

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

I suppose you're trying to add simple fielda=fieldb condition to your search. It won't work. Search conditions match against a pre-defined values or sets of values. To match complicated conditions (including dynamic ones, like comparing different fields) you need a "where" command. Like:

index=a source=b field="whatever" ...
| where fielda=fieldb

usernamen6213
Engager

Thank you @PickleRick 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have these fields already been extracted for each event? Are they present in all events? How did you add uSNCreated=uSNChanged to the search  - can you share your search?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...