All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Feature Suggestion - Splunk Windows TA app - WMI:UserAccounts

danielansell
Path Finder
‎02-08-2019 06:11 AM

I recently enabled the WMI:UserAccounts stanza in the wmi.conf of the Windows TA app and found that the WMI:UserAccounts stanza is pulling from the Win32_Accounts class rather than the Win32_UserAccounts class. Pulling from the Win32_Accounts class pulls in all the built-in Windows classes such as "Local Accounts", "Authenticated Users", CREATOR GROUP" amongst a slew of others.

I don't know about everyone else, but I was looking specifically for the entries that show up I type "net user" at the command prompt, or view the Users directory under Local Users and Groups in computer management.

Finally, for what its worth, when using the Win32_Accounts class, I had to create an entry in my props.conf to properly extract the Name field for accounts that contained spaces.

The version of the app I'm using is 4.8.3.

0 Karma
Reply

danielansell
Path Finder
‎02-08-2019 06:23 AM

If anyone else is curious, I was able to simply change the WMI:UserAccounts stanza from Win32_Accounts to Win32_UserAccounts and get the results I expected.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...