Splunk Search

account was created and deleted

or1515
Loves-to-Learn Everything

Hi,

My query:
index=ph_windows_sec sourcetype=XmlWinEventLog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) earliest=-14d | stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name | eval status=case(EventCode=630, \"Account%20Deletion\", EventCode=4726, \"Account%20Deletion\", EventCode=624, \"Account%20Creation\", EventCode=4720, \"Account%20Creation\") | transaction user startswith=status=\"Account%20Creation\" endswith=status=\"Account%20Deletion\" maxevents=2 | where duration < 3600

When I add "Stats values", the query isn't found any hit.

When I delete "Stats values", the query returns with hits.

What is wrong with my query? 🙂

Thanks!

 

Labels (3)
Tags (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name

will reduce the fields in the pipeline to TargetUserName,Message, count and Caller_User_Name, therefore EventCode is no longer available for eval will not set status, and transaction has nothing to work with.

0 Karma

or1515
Loves-to-Learn Everything

Thanks for your response.

 

There is another way to create a query with EventID ("user-created") and then EvendID ("user deleted") on 5 min? 

I just want to create a correlation rule with two operations (one after the other) and show display the relevant fields (with the "stats" command).

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...