https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388987#M5813 <P>If there were three or more consecutive events, they would all be added in. You can possibly see this already if you check the field "eventcount".</P> <P>OH! I see why. Sorry, I wasn't paying close enough attention.</P> <P>In the initial search, you search ONLY for <CODE>(EventCode=5059 OR EventCode=4648)</CODE>. So that's all you get. And if you then build a transaction starting with 5059 and ending with 4648... </P> <P>Try removing that bit.</P> <PRE><CODE> sourcetype="WinEventLog:Security" host=PC* | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host | table _time,host,EventCode,Account_Name </CODE></PRE> <P>Let me know if that's better. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>-Rich</P> Tue, 25 Sep 2018 14:19:52 GMT Richfez 2018-09-25T14:19:52Z https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388984#M5810 <PRE><CODE> sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false | table _time,host,EventCode,Account_Name </CODE></PRE> <P>I'm trying to query for all computers and find the event code 5059 followed with an event 4648 within 5 seconds from the same computer. However, the search results return events from 2 different computers and matches them to the same transaction. How can I improve this search query?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5819i8103A15CE5D5F703/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 24 Sep 2018 12:42:14 GMT https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388984#M5810 zaynaly 2018-09-24T12:42:14Z https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388985#M5811 <P>It may be the only thing you are actually missing is the field list to match on.</P> <PRE><CODE>sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host | table _time,host,EventCode,Account_Name </CODE></PRE> <P>Add that <CODE>host</CODE> to the end of the transaction says to only connect them on where host is the same.</P> <P>Happy Splunking!<BR /> -Rich</P> Mon, 24 Sep 2018 13:08:13 GMT https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388985#M5811 Richfez 2018-09-24T13:08:13Z https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388986#M5812 <P>Is there any way to add 3 or more consecutive events to the transacation? I see only start and end, meaning only 2 events?</P> Tue, 25 Sep 2018 14:07:21 GMT https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388986#M5812 zaynaly 2018-09-25T14:07:21Z https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388987#M5813 <P>If there were three or more consecutive events, they would all be added in. You can possibly see this already if you check the field "eventcount".</P> <P>OH! I see why. Sorry, I wasn't paying close enough attention.</P> <P>In the initial search, you search ONLY for <CODE>(EventCode=5059 OR EventCode=4648)</CODE>. So that's all you get. And if you then build a transaction starting with 5059 and ending with 4648... </P> <P>Try removing that bit.</P> <PRE><CODE> sourcetype="WinEventLog:Security" host=PC* | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host | table _time,host,EventCode,Account_Name </CODE></PRE> <P>Let me know if that's better. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>-Rich</P> Tue, 25 Sep 2018 14:19:52 GMT https://community.splunk.com/t5/Knowledge-Management/In-Windows-Security-logs-while-using-transaction-why-am-I-unable/m-p/388987#M5813 Richfez 2018-09-25T14:19:52Z