I am trying to fine the users created in AD for the last 1 week by using the below query and I see it is giving me a wrong result, pls let me know if any change in query is needed.
_fetch * from event where $EvtLen=4720 AND $Duration=1w limit 1000
I am able to see the $EvtLen for 4813 and 4816.
As per the shared query, I observed that the field used in the query is EvtLen which is used for event length, and the values you have shared are of EventID.
So request you to use field EventId and check whether the output is coming properly or not.
_fetch * from event where $EventID=4720 AND $Duration=7d limit 1000
You might want to try the field $EID for windows events