Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

account was created and deleted

or1515
Loves-to-Learn Everything
‎05-10-2021 05:08 AM

Hi,

My query:
index=ph_windows_sec sourcetype=XmlWinEventLog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) earliest=-14d | stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name | eval status=case(EventCode=630, \"Account%20Deletion\", EventCode=4726, \"Account%20Deletion\", EventCode=624, \"Account%20Creation\", EventCode=4720, \"Account%20Creation\") | transaction user startswith=status=\"Account%20Creation\" endswith=status=\"Account%20Deletion\" maxevents=2 | where duration < 3600

When I add "Stats values", the query isn't found any hit.

When I delete "Stats values", the query returns with hits.

What is wrong with my query? 🙂

Thanks!

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
Legend
‎05-10-2021 05:17 AM 
stats values(TargetUserName) as TargetUserName ,values(signature) as Message, count by Caller_User_Name

will reduce the fields in the pipeline to TargetUserName,Message, count and Caller_User_Name, therefore EventCode is no longer available for eval will not set status, and transaction has nothing to work with.

0 Karma
Reply

or1515
Loves-to-Learn Everything
‎05-10-2021 05:23 AM

Thanks for your response.

 

There is another way to create a query with EventID ("user-created") and then EvendID ("user deleted") on 5 min? 

I just want to create a correlation rule with two operations (one after the other) and show display the relevant fields (with the "stats" command).

 

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!