topic Match 2 Windows Events around the same time in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Match-2-Windows-Events-around-the-same-time/m-p/405227#M71950 <P>I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.</P> <P>For example if I did say <CODE>sourcetype="winseclogs" Eventcode=4768</CODE> I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say <CODE>sourcetype="winseclogs" Eventcode=4625</CODE> I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search? </P> <P>I tried this and it looks like it should work but not too sure <CODE>sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]</CODE></P> Wed, 30 Sep 2020 01:26:43 GMT willadams 2020-09-30T01:26:43Z Match 2 Windows Events around the same time https://community.splunk.com/t5/Getting-Data-In/Match-2-Windows-Events-around-the-same-time/m-p/405227#M71950 <P>I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.</P> <P>For example if I did say <CODE>sourcetype="winseclogs" Eventcode=4768</CODE> I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say <CODE>sourcetype="winseclogs" Eventcode=4625</CODE> I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search? </P> <P>I tried this and it looks like it should work but not too sure <CODE>sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]</CODE></P> Wed, 30 Sep 2020 01:26:43 GMT https://community.splunk.com/t5/Getting-Data-In/Match-2-Windows-Events-around-the-same-time/m-p/405227#M71950 willadams 2020-09-30T01:26:43Z Re: Match 2 Windows Events around the same time https://community.splunk.com/t5/Getting-Data-In/Match-2-Windows-Events-around-the-same-time/m-p/405228#M71951 <P>You can create a transaction that will accomplish this with the Account_Name as your field you join on:</P> <PRE><CODE>sourcetype="winseclogs" (Eventcode=4625 OR Eventcode=4768) | transaction Account_Name maxspan=5s | search Eventcode=4625 Eventcode=4768 </CODE></PRE> <P>That will join the events together if they happen within 5 seconds of each other. If they truly always occur at the same exact time then you can drop that down to 1s.</P> Wed, 24 Jul 2019 14:48:58 GMT https://community.splunk.com/t5/Getting-Data-In/Match-2-Windows-Events-around-the-same-time/m-p/405228#M71951 dmarling 2019-07-24T14:48:58Z