topic Re: Strange Splunk Search Exclusion Results in Splunk Search

Strange Splunk Search Exclusion Results

johann2017 — Wed, 30 Sep 2020 03:38:15 GMT

Hello. I am creating a search to see when the Account_Name called "helpdesk" logs in via EventCode 4624 with Logon_Type=3. My goal is to see what source machines (src_nt_host) normally perform this logon behavior with that account name. After I find the source machines I will exclude them in the search so I can alert off of it.

A search going back the past 3 months below brings back five different source machines (src_nt_host).

Here is the strange part - when I exclude one of those five source machines using src_nt_host!=machineA then rerun the search, it brings back more source machines that never showed up in the original search! Any clue why this is occurring? It would be awesome if I could figure out what is going on!

index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature

Re: Strange Splunk Search Exclusion Results

TISKAR — Fri, 10 Jan 2020 14:56:08 GMT

Hello,

Can you please add the option of | sort 0 - _time command like this:

**index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort 0 - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature*

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Sort

Re: Strange Splunk Search Exclusion Results

johann2017 — Fri, 10 Jan 2020 15:33:50 GMT

Hello TISKAR. I tried it but it made no difference...

Re: Strange Splunk Search Exclusion Results

TISKAR — Fri, 10 Jan 2020 15:39:37 GMT

Can you please run this request:

index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | stats count

And compar result with:

index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk NOT  src_nt_host=machineA | stats count

Re: Strange Splunk Search Exclusion Results

johann2017 — Fri, 10 Jan 2020 15:59:58 GMT

First search (no exclusions) = 450,073

Second search (with the machineA exclusion) = 79,947

Re: Strange Splunk Search Exclusion Results

johann2017 — Wed, 30 Sep 2020 03:38:21 GMT

If I run these two searches, the Statistics totals are 29 and 28 - only off by one (which makes sense because I excluded only one machine). Therefore that seems to add up correctly. Not sure why my original search only showed 5 systems.

index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator | table src_nt_host | dedup src_nt_host

index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator src_nt_host!=machineA | table src_nt_host | dedup src_nt_host