These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed):
2003:
sourcetype=WinEventLog:Security (EventCode=630) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Target_Account_Name, Caller_User_Name, Type, host | sort - Date | rename Target_Account_Name as "Deleted Account" | rename Caller_User_Name as "Source Account" | sort - Date
2008:
sourcetype=WinEventLog:Security (EventCode=4726) | eval Date=strftime(_time, "%Y/%m/%d") |rex "Target\sAccount:\s+.*\s+\w+\s\w+:\s+(?<TargetAccount>.*)" | rex "Account\sName:\s+(?<SourceAccount>.*)" | stats count by Date, TargetAccount, SourceAccount, Keywords, host | sort - Date | rename TargetAccount as "Deleted Account" | rename SourceAccount as "Source Account"
Please help me to get the Splunk query for Accounts Created in a Windows Environment for 2003 and 2008