×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Casial06
Explorer
Member since: ‎10-04-2023
13 hours ago
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎10-04-2023
View All

Re: Multiple Locked Account Query

by in Splunk Search
13 hours ago
13 hours ago
Hi @livehybrid , Thanks for this info and sample query it helps me complete the query I needed. ... View more

Re: Multiple Locked Account Query

by in Splunk Search
yesterday
yesterday
Thanks this works for me, I already check and tested the result. Just an additional question regarding the 2nd stats command on my post, i also want to count all the result and if the totalAccount >= 10 it should trigger the alert. Should I continue using 2nd stats command or should I use subsearch or join? Here's the 2nd stats command query: | stats count dc(login_account) as "UniqueAccount" values(login_account) as "Login_Account" values(host) as "HostName" values(Workstation_Name) as Source_Computer values(src_ip) as SourceIP by EventCode | where UniqueAccount >= 10 ... View more

Multiple Locked Account Query

by in Splunk Search
Monday
Monday
I'm creating Mutiple Locked account search query while checking the account first if it has 4767 (unlocked) it should ignore account that has 4767 in a span of 4hrs This is my current search query and not sure if the "join" command is working. index=* | join Account_Name [ search index=* EventCode=4740 OR EventCode=4767 | eval login_account=mvindex(Account_Name,1) | bin span=4h  _time | stats count values(EventCode) as EventCodeList count(eval(match(EventCode,"4740"))) as Locked ,count(eval(match(EventCode,"4767"))) as Unlocked by Account_Name | where Locked >= 1 and Unlocked = 0 ] | stats count dc(login_account) as "UniqueAccount" values(login_account) as "Login_Account" values(host) as "HostName" values(Workstation_Name) as Source_Computer values(src_ip) as SourceIP by EventCode| where UniqueAccount >= 10 ... View more
Labels

Re: How do you search Multiple users logged into a...

by in Getting Data In
‎10-04-2023 04:20 AM
‎10-04-2023 04:20 AM
So, I am searching for Multiple users logged into a single machine at the same time, or even within the same hour. Initially this is my search query to display how many users log-on in 1 host. index="windows" sourcetype="WinEventLog" EventCode=4624 | search host!="*$*" | stats dc(user) as user_count by host the problem is it does not count the current user since there's log off events. hope I explained that clearly. Thanks. ... View more

How do you search Multiple users logged into a sin...

by in Getting Data In
‎10-04-2023 03:18 AM
‎10-04-2023 03:18 AM
... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
13 hours ago
Karma given to
View All
OSZAR »