×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
zuyi21
New Member
Member since: ‎01-15-2015
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-15-2015
View All

How to compare a field found in 2 different event ...

by in Alerting
‎01-21-2015 07:40 PM
‎01-21-2015 07:40 PM
Hi, i would like to create alert. Condition: match Account name(New account) in eventcode 4720 with Account name(member) in eventcode 4728. Below is how the log looks like: Event code 4720: Subject: Security ID: S-1-5-21-97631821-2522574050-3878054474-500 Account Name: administrator Account Domain: ABC Logon ID: 0x6a7a0 New Account: Security ID: S-1-5-21-97631821-2522574050-3878054474-1118 Account Name: T1 Account Domain: ABC Event code 4728: Subject: Security ID: S-1-5-21-97631821-2522574050-3878054474-500 Account Name: administrator Account Domain: ABC Logon ID: 0x6a7a0 Member: Security ID: S-1-5-21-97631821-2522574050-3878054474-1118 Account Name: cn=T1,CN=Users,DC=abc,DC=com Group: Security ID: S-1-5-21-97631821-2522574050-3878054474-1108 Group Name: UAT Group Domain: ABC ... View more

Re: How to compare fields in different Eventcodes?

by in Alerting
‎01-21-2015 01:03 AM
‎01-21-2015 01:03 AM
Hi, i need help. Account_Name can be found both in eventcodes 4720 and 4728. How do i display the Account_Name information in both eventcodes? This is what i have: sourcetype="WinEventLog:Security" (EventCode=4720 AND Account_Name="administrator") OR (EventCode=4728 AND Account_Name="administrator") | eval AccountCreator=mvindex(Account_Name,0) | eval AccountCreated=mvindex(Account_Name,1) | rename Group_Name as "Modified Group" | table _time, host, AccountCreator, AccountCreated, Modifier, "Modified Group", user Thx. ... View more

How to compare fields in different Eventcodes?

by in Alerting
‎01-19-2015 01:39 AM
‎01-19-2015 01:39 AM
Hi, I would like to compare fields in different Eventcodes. Example: In Eventcode 4720, I want to get the info for Creator name and Created account, then find the corresponding 4728 event (showing that the created account in 4720, is in a certain OU, like OU=DEV). If the OU is not equal to DEV, trigger alert. Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM