cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
araiv1998
Engager
Member since: ‎10-14-2021
‎10-15-2021
Community Statistics
Posts 5
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎10-14-2021
Activity Feed
View All

Re: Tracking user logon (standard and admin accoun...

by in Splunk Search
‎10-14-2021 10:27 AM
‎10-14-2021 10:27 AM
@Stefanie hello! I am getting an error when I paste it into search, about time error. Could you please advise? Thank you  ... View more

Re: Tracking user logon (standard and admin accoun...

by in Splunk Search
‎10-14-2021 06:23 AM
‎10-14-2021 06:23 AM
@Stefanie what would you recommend for the time? So I am looking to track between 6pm and 5am, I tried this but it did not seem to work:   "date_hour›16 date_hour ‹06"   "sourcetype-foo | eval date_ hour=strftime(_time, "%H) | eval date_wday = strftime(_time, "%W") | search date_hour>=16 date_hour<=06 date_wday>=1 date_wday<=5" ... View more

Re: Tracking user logon (standard and admin accoun...

by in Splunk Search
‎10-14-2021 06:13 AM
‎10-14-2021 06:13 AM
Awesome! Thank you so much! truly appreciate it. ... View more

Re: Tracking user logon (standard and admin accoun...

by in Splunk Search
‎10-14-2021 05:55 AM
‎10-14-2021 05:55 AM
@Stefanie Thank you very much for the reply! I am so sorry, could you possibly explain a little? On this section,  “user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)” Are those you are saying to keep out of the search since they are system related? Or are this account you are specifically telling it to look for? I apologize for the dumb question, I am very new to Splunk.. I was told on Friday I needed to learn Splunk asap with zero knowledge hahaha. So I am still very much learning. I am just curious, as I remember if this is something we do not want searched, we put "NOT" in front correct?  ... View more

Tracking user logon (standard and admin account) W...

by in Splunk Search
‎10-14-2021 05:31 AM
‎10-14-2021 05:31 AM
Hello, I am looking to create a report of a search. I have a requirement of tracking user logon to window machines (Active directory). I am currently getting all the data, but I am having problems with false logons, or services using the credentials. for example, I will see people logged in at 1 am, but the logon id is 0x0, or there is an error code 000, so that most likely will be a service or something using the credentials of someone, and no one actually logging in. there are about 1500 records a day of these false logons.  I also have the requirement to track Monday - Friday from 6pm to 6am overnight, and I cant seem to get the time of recording properly in the search. Below is the search I am currently using, and help would be appreciated, thank you!    source= “wineventlog: security" EventCode=528 OR EventCode=540 OR EventCode=4624 OR (EventCode=4776 Error_Code=0x0) NOT Account_Name=“*$” NOT Logon _Account="*$" NOT User_Name="*$' | eval Account_Name=mvindex(Account Name, 1) | eval User=coalesce(Account_Name, Logon_Account, Logon_account, User_Name) | eval User=lower (User) | table  _time, User, EventCode ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-15-2021 01:00 PM
Karma given to
View All