https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453590#M128349 <P>A slight amendment, which I think is on the right tracks and returns some data, but I'm not sure it's correct:</P> <PRE><CODE>index=privillege_user_actions | SORT time | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" | where eventcount=2 </CODE></PRE> <P>But I'd be really grateful for any assistance on this.</P> Mon, 10 Sep 2018 22:08:24 GMT kelvinJE 2018-09-10T22:08:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453589#M128348 <P>Hi All</P> <P>Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs. </P> <P>We have data such as the following:</P> <PRE><CODE>Time | User | Action 10:00 Joe Copied To Clipboard (Sensitive Data) 10:01 Ben Copied To Clipboard (Normal Data) 10:01 Ben Pasted From Clipboard 10:01 Joe Copied To Clipboard (Normal Data) 10:02 Joe Pasted From Clipboard 10:03 Joe Copied To Clipboard (Sensitive Data) 10:04 Joe Pasted From Clipboard 10:06 Joe Copied To Clipboard (Normal Data) 10:07 Joe Pasted From Clipboard </CODE></PRE> <P>We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored</P> <P>I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:</P> <PRE><CODE> index=privillege_user_actions | SORT time | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" </CODE></PRE> <P>Could anybody recommend a query for doing this?</P> Mon, 10 Sep 2018 21:48:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453589#M128348 kelvinJE 2018-09-10T21:48:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453590#M128349 <P>A slight amendment, which I think is on the right tracks and returns some data, but I'm not sure it's correct:</P> <PRE><CODE>index=privillege_user_actions | SORT time | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" | where eventcount=2 </CODE></PRE> <P>But I'd be really grateful for any assistance on this.</P> Mon, 10 Sep 2018 22:08:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453590#M128349 kelvinJE 2018-09-10T22:08:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453591#M128350 <P>Your last query looks good, except for the <CODE>sort</CODE>. Events are returned in reverse time order automatically and <CODE>transaction</CODE> requires events be in that order so sorting won't help in this instance.</P> Tue, 11 Sep 2018 11:31:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453591#M128350 richgalloway 2018-09-11T11:31:58Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453592#M128351 <P>try this:</P> <PRE><CODE>index=privillege_user_actions transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" maxevents=2 </CODE></PRE> Tue, 11 Sep 2018 12:51:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-exact-sequence-of-events/m-p/453592#M128351 adonio 2018-09-11T12:51:08Z