×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
wingstopdgon
New Member
Member since: ‎04-16-2019
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-16-2019
View All

How to search an event ID for password expiration ...

by in Splunk Search
‎04-16-2019 02:12 PM
‎04-16-2019 02:12 PM
I am trying to search event logs for an event when a user password is set to not expire. But the alert I have setup flags for all account changes not just the one where the Don't expire password - enabled. Any assistance is appreciated. Here is the search string I have. source="WinEventLog:security" EventCode=4738 user=* | eval Modifier=mvindex(Security_ID,0) | eval AccountChanged=mvindex(Security_ID,1) | eval ActionTaken=case(EventCode="4738","User Account Control") | eval ActionHelper=case(EventCode="4738","Don't Expire Password - enabled") | table _time, Modifier, ActionTaken, AccountChanged, ActionHelper ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM