https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/609975#M10988 <P>The <FONT face="courier new,courier">tstats</FONT> command does not provide the session_id field so you won't be able to filter on it.&nbsp; You'll have to modify the query so <FONT face="courier new,courier">tstats</FONT> returns session_id then you can include the field in your `remote_desktop_network_bruteforce_filter` macro.</P> Thu, 18 Aug 2022 12:50:35 GMT richgalloway 2022-08-18T12:50:35Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/609800#M10987 <P>Hello,</P> <P>We are trying to modify the existing query in the "Remote Desktop Network Bruteforce" correlation search present in the Splunk ES use cases to exclude events with the same session_id.</P> <P>The original query is:</P> <P>&nbsp;</P> <LI-CODE lang="markup">| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count&gt;(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`</LI-CODE> <P>&nbsp;</P> <P><BR /><BR />We have tried using the "dedup" command and the "distinct_count" function of stats command without success.<BR />Thanks in advance,<BR />Best Regards,</P> Fri, 26 Aug 2022 14:22:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/609800#M10987 jmgonzalez 2022-08-26T14:22:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/609975#M10988 <P>The <FONT face="courier new,courier">tstats</FONT> command does not provide the session_id field so you won't be able to filter on it.&nbsp; You'll have to modify the query so <FONT face="courier new,courier">tstats</FONT> returns session_id then you can include the field in your `remote_desktop_network_bruteforce_filter` macro.</P> Thu, 18 Aug 2022 12:50:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/609975#M10988 richgalloway 2022-08-18T12:50:35Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/610713#M10995 <P>After including the "session_id" field within the tstats command, in the BY clause to extract it, we have observed that some results are excluded where there are several different values in the session_id field.</P> Wed, 24 Aug 2022 15:24:45 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/610713#M10995 jmgonzalez 2022-08-24T15:24:45Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/610961#M11001 <P class="lia-align-left">Note that "session_id" is not an eval field in the Network Traffic data model, meaning that it could be null for some entries. If you add session_id to the by clause, these entries would be dismissed. If this is the case, you can either use the "<SPAN>fillnull_value</SPAN>" argument on the tstats command, or instead of adding session_id after the by clause, add it as a values&nbsp;function.</P><PRE>| tstats summariesonly=t count values(All_Traffic.session_id) as session_id min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest All_Traffic.dest_port&nbsp;</PRE><P>&nbsp;</P> Fri, 26 Aug 2022 14:13:29 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-exclude-events-with-same-session-id-Remote-Desktop/m-p/610961#M11001 hettervik 2022-08-26T14:13:29Z