Most useful Splunk commands for Tier 2 / Tier 3
index=wineventlog sourcetype=WinEventLog:Security
| table _time host EventCode Account_Name Message
Useful commands:
search
table
stats
sort
dedup
where
eval
rex
transaction
These are the day-to-day commands most help desk engineers use to narrow scope, summarize results, and isolate patterns.
Top statistics examples
index=wineventlog EventCode=4740
| stats count by user host
index=wineventlog sourcetype=WinEventLog:Security
| stats count by EventCode
index=wineventlog host=PC123
| stats count by SourceName EventCode
Use stats to answer "how many", "by who", "by host", and "what event codes are recurring".
Fast readable output
index=wineventlog EventCode=4740
| table _time host user Caller_Computer_Name Message
| sort - _time
index=o365*
| table _time user operation workload result status
| sort - _time
Use table to keep only the fields you care about and sort to put newest evidence first.
Reduce noise fast
index=wineventlog EventCode=4740
| dedup user
| table _time user host Caller_Computer_Name
index=wineventlog
| where EventCode=4740 OR EventCode=4771 OR EventCode=4776
| table _time host EventCode user Message
Use dedup to keep one result per user or machine, and where when you need Boolean filtering logic.
Field extraction and normalization
index=duo*
| rex field=_raw "username[=:]\s*(?<duo_user>[^,\s]+)"
| table _time host duo_user result reason
index=wineventlog EventCode=4740
| eval target=coalesce(user, Account_Name, TargetUserName)
| table _time host target Message
Use rex when fields are buried in raw text and eval to standardize field names across sources.
Grouping related events
index=wineventlog user=jdoe
| sort - _time
| transaction user maxspan=10m
| table _time user duration eventcount
index=duo* user=jdoe
| sort - _time
| transaction user maxspan=5m
| table _time user duration eventcount result
Use transaction sparingly for short timelines. If you use it, keep sort - _time immediately before it.
transaction is heavier than stats; use it only when you really need related-event grouping.
Event 4740 basics
Event 4740 means a user account was locked out. In practice, correlate it with nearby 4771 or 4776 failures to find the bad credential source.
Splunk example:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4740
| table _time host user Caller_Computer_Name Message
| sort - _time
Basic 4740 triage path
- Find the exact lockout timestamp in the DC security log or Splunk.
- Check the caller computer name if present.
- Look for nearby 4771 or 4776 failures for the same user.
- Check stale credentials in Outlook, phones, mapped drives, scheduled tasks, services, VPN clients, and saved Windows credentials.
- Ask whether the password was recently changed.
Broader lockout hunt:
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4740 OR EventCode=4771 OR EventCode=4776) user=jdoe
| table _time host EventCode user Caller_Computer_Name Message
| sort - _time