# Splunk Drill Down Events

```sql
earliest=$initial_time$ latest=$end_time$ index=$index$ EventCode=4624 NOT Logon_Type IN ("5") host=$orig_host$
```

> orig_action_name  
orig_host  
orig_rid  
orig_sid