Splunk Search

account was created and deleted

Loves-to-Learn Everything


My query:
index=ph_windows_sec sourcetype=XmlWinEventLog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) earliest=-14d | stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name | eval status=case(EventCode=630, \"Account%20Deletion\", EventCode=4726, \"Account%20Deletion\", EventCode=624, \"Account%20Creation\", EventCode=4720, \"Account%20Creation\") | transaction user startswith=status=\"Account%20Creation\" endswith=status=\"Account%20Deletion\" maxevents=2 | where duration < 3600

When I add "Stats values", the query isn't found any hit.

When I delete "Stats values", the query returns with hits.

What is wrong with my query? 🙂



Labels (3)
Tags (3)
0 Karma

stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name

will reduce the fields in the pipeline to TargetUserName,Message, count and Caller_User_Name, therefore EventCode is no longer available for eval will not set status, and transaction has nothing to work with.

0 Karma

Loves-to-Learn Everything

Thanks for your response.


There is another way to create a query with EventID ("user-created") and then EvendID ("user deleted") on 5 min? 

I just want to create a correlation rule with two operations (one after the other) and show display the relevant fields (with the "stats" command).


0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!