Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

"Account_Name" field listing in events 4624, 4768 and 4769 (Windows 2008)

bapruski
Explorer
‎05-15-2012 08:25 AM

I am working on a query to extract all successful authentications (events 4624, 4768 and 4769) per user per day. The problem I am running into is the fact that the Account_Name field can be present more than once (twice in the event 4624). If I use the query:

source="wineventlog:security" (EventCode="4624" OR (EventCode="4768" OR EventCode="4769") (action="success")

the first occurrence of the Account_Name will always be selected for the user name, which in case of event 4624 is wrong and I get false results. If I change the index for the search of the Account_Name to point at the second value:

eval login_account=mvindex(Account_Name,1)

than only events 4624 will be processed and I will loose the information from events 4768 and 4769.

There must be a way of writing an expression which will take care of both cases. Can somebody shed some light here?

Thanks

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-15-2012 09:23 AM

From looking at some similar logs, it seems that the first value for Account_Name is "-" for EventCode 4624. If that is also your case, then the following will correct that;

source="wineventlog:security" EventCode="4624" OR EventCode="4768" OR EventCode="4769" 
| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)  
| timechart span=1d c by Account_Name

Though in my case all the "corrected" Account_Names are all machine names (e.g. SERVER01$). Depending on the number of users/events and the time over which you run your search, this can take some time to compute.

Hope this helps,

Kristian

Reply

bapruski
Explorer
‎05-15-2012 10:18 AM

That did the trick. Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎07-25-2017 08:46 AM

Don't forget to click Accept to close the question.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...