×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
maxwell2k19
New Member
Member since: ‎12-31-2023
‎12-31-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-31-2023
Activity Feed
Topics I've Started
View All

Re: Account Lockout

by in Splunk Enterprise
‎12-31-2023 12:00 PM
‎12-31-2023 12:00 PM
I see in your original post that you mention searching over the last 7 days but your SPL has hardcoded "earliest=-1h" in it. This will override the timerange input into the time selector. I also have some Windows event logs indexing in my local instance and by default, it looks like it is the source=WinEventLog:Security and sourcetype=WinEventLog So maybe try updating your search to something like this and see if you get expected results. index=<your_index> sourcetype=WinEventLog source="WinEventLog:Security" Account_Name=maxwell EventCode=4740 host IN ("dctr01*", "dctr02*", "dctr03*", "dctr04*") earliest=-7d@d latest=now | table _time Caller_Computer_Name Account_Name EventCode Source_Network_Address Workstation_Name ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-31-2023 04:21 AM