Hello,
I am trying to test on a single host and this search may be completely wrong and would appreciate any assistance as I am just starting to use Splunk.
I am trying to capture any local accounts created or added to the local Administrators group on one host.
This gets me what I need, which is the Time(when), hostname ,who created but the Security_ID field is lumping all into one .. I need a column with just the Hostname\LocalAccountName or just LocalAccountName
Security_ID is including the SAmAccountname that created the account, the local account name and BUILTIN\Administrators all in one.
This is what I am searching, any help will be appreciated.
MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode,
... View more