topic Re: How to only keep the rows related with process in Splunk Search

How to only keep the rows related with process

vpaschalidis — Tue, 04 Feb 2020 16:15:45 GMT

Hello, in the below data I have a lot of processes and the ParentProcesses of them.
I would like to keep only the rows related with process "Process4" meaning the first 3 rows.

| makeresults 
  | eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10"
  | makemv mydata 
  | mvexpand mydata 
  | makemv delim="," mydata 
  | eval ParentProcess=mvindex(mydata,0) 
  | eval Process=mvindex(mydata,1)
  | table ParentProcess Process

Many thanks in advance.

Re: How to only keep the rows related with process

DalJeanis — Tue, 04 Feb 2020 19:56:55 GMT

So, you want to keep the rows with Process4, and any rows connected to any process that is connected to that one, recursively?

Re: How to only keep the rows related with process

vpaschalidis — Wed, 05 Feb 2020 08:10:01 GMT

Yes exactly this one.

Re: How to only keep the rows related with process

to4kawa — Tue, 25 Feb 2020 13:07:05 GMT

| makeresults
| eval _raw="User,host,parent_process_id,parent_process,process_id,process,count
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10136,whoami,1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10540,\"AdobeExpiryCheck.exe\",1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",6764,hostname,1
NT AUTHORITY\SYSTEM,Laptop,8100,C:\WINDOWS\PSEXESVC.EXE,11808,\"cmd\",1
NT AUTHORITY\SYSTEM,Laptop,816,C:\WINDOWS\system32\services.exe,8100,C:\WINDOWS\PSEXESVC.EXE,1"
| multikv forceheader=1
| table User,host,parent_process_id,parent_process,process_id,process,count
| sort parent_process_id
| eval parent=parent_process_id."_".parent_process, child=process_id."_".process
| eval processes=mvappend(parent,child)
| stats list(processes) as processes
| nomv processes

there is many child process, I dare keep this.

Re: How to only keep the rows related with process

to4kawa — Tue, 25 Feb 2020 13:07:06 GMT

| makeresults 
| eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10" 
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval ParentProcess=mvindex(mydata,0) 
| eval Process=mvindex(mydata,1) 
| table ParentProcess Process
`comment("this is your sample")`
| sort - ParentProcess Process
| streamstats count(eval(match(ParentProcess,"Process4") OR match(Process,"Process4"))) as session
| where session > 0
| fields - session

It works because the field name is this.
It will not be useful if it is an actual log.

Hi, how about this?

| makeresults 
| eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10"
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval ParentProcess=mvindex(mydata,0) 
| eval Process=mvindex(mydata,1)
| table ParentProcess Process
| where match(ParentProcess, "Process4") OR match(Process, "Process4") 
| head 3

Re: How to only keep the rows related with process

vpaschalidis — Tue, 25 Feb 2020 13:07:07 GMT

Basically I would like some how to check the Process4 and then to check backwards Process3-Process2-Process1.

Basically I would like to find the full tree of the processes when I am selecting the Process4 .

Re: How to only keep the rows related with process

vpaschalidis — Wed, 30 Sep 2020 04:20:00 GMT

Basically I need to find a way when I receive such logs to be able to track the full chain of the process.

User host parent_process_id parent_process process_id process count
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 10136 whoami 1
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 10540 "AdobeExpiryCheck.exe" 1
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 6764 hostname 1
NT AUTHORITY\SYSTEM Laptop 8100 C:\WINDOWS\PSEXESVC.EXE 11808 "cmd" 1
NT AUTHORITY\SYSTEM Laptop 816 C:\WINDOWS\system32\services.exe 8100 C:\WINDOWS\PSEXESVC.EXE 1

In this example I would like to find the below.

C:\WINDOWS\system32\services.exe->C:\WINDOWS\PSEXESVC.EXE->"cmd"->whoami

Re: How to only keep the rows related with process

to4kawa — Tue, 25 Feb 2020 13:07:08 GMT

which is ParentProcess?

Re: How to only keep the rows related with process

vpaschalidis — Tue, 25 Feb 2020 13:07:09 GMT

The Process 1 is the parent process of Process 2
The Process 2 is the parent process of Process 3
The Process 3 is the parent process of Process 4

So in the above example I would like to find away to get the full chain from process 4 to process 1.

Re: How to only keep the rows related with process

to4kawa — Tue, 25 Feb 2020 13:07:10 GMT

Have you tried my second query?

Re: How to only keep the rows related with process

vpaschalidis — Tue, 25 Feb 2020 13:30:19 GMT

The approach is very good. However, from all these processes I am interested only in the ones that end with the whoami. So I would like to find a way to end up with as below:

C:\WINDOWS\system32\services.exe - >C:\WINDOWS\PSEXESVC.EXE ->\"cmd\" -> whoami excluding the rest.

Re: How to only keep the rows related with process

to4kawa — Tue, 25 Feb 2020 20:01:54 GMT

| makeresults 
| eval _raw="User,host,parent_process_id,parent_process,process_id,process,count
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10136,whoami,1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10540,\"AdobeExpiryCheck.exe\",1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",6764,hostname,1
NT AUTHORITY\SYSTEM,Laptop,8100,C:\WINDOWS\PSEXESVC.EXE,11808,\"cmd\",1
NT AUTHORITY\SYSTEM,Laptop,816,C:\WINDOWS\system32\services.exe,8100,C:\WINDOWS\PSEXESVC.EXE,1" 
| multikv forceheader=1 
| table User,host,parent_process_id,parent_process,process_id,process,count 
| sort parent_process_id 
| eval processes=mvappend(parent_process,process) 
| dedup parent_process
| stats list(processes) as processes 
| eval processes=mvdedup(processes)
| eval processes=mvjoin(processes," -> ")