topic Re: Include only certain codes. in Monitoring Splunk

Include only certain codes.

bogdan_nicolesc — Tue, 29 Sep 2020 22:52:10 GMT

Hi all,

I have a search like this:

(index=* OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type= NOT (EventCode=4719 OR EventCode=4624 OR EventCode=4672 OR EventCode=4627 OR EventCode=4634 OR EventCode=4648 OR EventCode=4688 OR EventCode=4616 OR EventCode=4826 OR EventCode=4957 OR EventCode=4776 OR EventCode=1100 OR EventCode=4902 OR EventCode=4647 OR EventCode=1101 OR EventCode=4696 OR EventCode=4905 OR EventCode=4904) | eval EventCode=if(EventCode="4801","Deblocat4801",EventCode) | eval EventCode=if(EventCode="4800","Blocat4800",EventCode) | eval EventCode=if(EventCode="4625","ParolaGresita4625",EventCode) | eval Security_ID=if(Security_ID="HUB\Bogdan.NICOLESCU","Bogdan.Nicolescu",Security_ID) | eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"

My question is, how can i include in search only:

Security_ID="Bogdan.Nicolescu" Security_ID="Bogdan.Nicolescu.2" Security_ID="Bogdan.Nicolescu.7759"

So i can get rid of exludes of:

NOT (EventCode=4719 OR EventCode=4624 OR EventCode=4672 OR EventCode=4627 OR EventCode=4634 OR EventCode=4648 OR EventCode=4688 OR EventCode=4616 OR EventCode=4826 OR EventCode=4957 OR EventCode=4776 OR EventCode=1100 OR EventCode=4902 OR EventCode=4647 OR EventCode=1101 OR EventCode=4696 OR EventCode=4905 OR EventCode=4904)

Thank you.

Re: Include only certain codes.

Vijeta — Tue, 22 Jan 2019 17:26:21 GMT

You can write your main search as

(index= OR index=_) (source="WMI:WinEventLog:Security" OR source="WinEventLog:Security") Type=* (Security_ID="HUB\bogdan.nicolescu" OR Security_ID="HUB\bogdan.nicolescu" OR Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759")| eval Security_ID=if(Security_ID="S-1-5-21-2194086089-2732682161-3381787425-7759","Bogdan.Nicolescu.7759",Security_ID) | eval Security_ID=if(Security_ID="HUB\bogdan.nicolescu","Bogdan.Nicolescu.2",Security_ID) | rename EventCode AS RootObject.EventCode Security_ID AS RootObject.Security_ID | fields "_time" "host" "source" "sourcetype" "RootObject.EventCode" "RootObject.Security_ID" | bucket _time span=1s | stats dedup_splitvals=t dc(RootObject.EventCode) AS "Distinct Count of EventCode" by _time, RootObject.EventCode, RootObject.Security_ID | sort limit=100000 _time | rename RootObject.EventCode AS EventCode RootObject.Security_ID AS Security_ID | fillnull "Distinct Count of EventCode" | fields _time, EventCode, Security_ID, "Distinct Count of EventCode"

Re: Include only certain codes.

bogdan_nicolesc — Wed, 23 Jan 2019 12:33:33 GMT

Hi Vijeta,

Yes! Thank you very much. Worked like a charm.

Bogdan.