https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578955#M201779 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;This is what I was exactly looking for, well done.</P><P>appreciate your help!</P><P>Best,</P> Mon, 20 Dec 2021 17:43:47 GMT splunkxorsplunk 2021-12-20T17:43:47Z https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578844#M201729 <P>Hi,<BR />Need help to get following results from the search.&nbsp; all helps will be appreciated.&nbsp;<BR /><BR />On the image below, same colors show match cases I would like to get out of my search. Here is the condition I am looking for:<BR /><BR />Under the same pid which is all same already on image below.&nbsp;</P><P><EM>example -1 ( green on the image) :</EM><BR />pid_of_curl = 990820</P><P>pid_of_sh = 990821</P><P>If exe = curl and ( pid_of_curl + 1 ) has exe = sh</P><P><STRONG>exe is curl and&nbsp;&nbsp;990820 + 1 =&nbsp;990821 = pid in which exe = sh</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkxorsplunk_1-1639899002821.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17296i6B9EDAA0EB0B5A73/image-size/medium?v=v2&amp;px=400" role="button" title="splunkxorsplunk_1-1639899002821.png" alt="splunkxorsplunk_1-1639899002821.png" /></span></P><P>if exe is either "curl" or "wget" and its pid +1 is equal to ( bash or sh ) pid</P> Sun, 19 Dec 2021 07:45:02 GMT https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578844#M201729 splunkxorsplunk 2021-12-19T07:45:02Z https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578845#M201730 <LI-CODE lang="markup">| makeresults | eval _raw="ppid,pid,exe 981804,991701,ls 981804,991819,rm 981804,990820,curl 981804,990821,sh 981804,991019,ls 981804,991886,bash 981804,991885,curl 981804,990940,bash 981804,991940,curl 981804,990770,ls 981804,990997,sleep 981804,990939,curl 981804,991841,ls 981804,991941,sh" | multikv forceheader=1 | table _time ppid pid exe | eval exe_of_interest=if(match(exe,"curl|wget|bash|sh"),pid,null()) | sort 0 ppid pid | streamstats range(exe_of_interest) as difference window=2 by ppid | where difference = 1 and match(exe,"bash|sh")</LI-CODE> Sun, 19 Dec 2021 11:10:20 GMT https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578845#M201730 ITWhisperer 2021-12-19T11:10:20Z https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578868#M201742 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<BR />Thank you so much for spending time and providing this solution.&nbsp;<BR />It gives me the following output</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkxorsplunk_0-1639983617385.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17299iDA3982CFD7D8DB06/image-size/medium?v=v2&amp;px=400" role="button" title="splunkxorsplunk_0-1639983617385.png" alt="splunkxorsplunk_0-1639983617385.png" /></span></P><P>However, I need following matches out of the data set.&nbsp;<BR />logic here is :<BR />1. under the same ppid, (curl OR wget ) and ( bash OR sh ) should be available<BR />2. If #1(above) is true, ((pid _of_curl + 1) OR (pid_of_wget + 1 )) = ( pid_of_sh OR pid_of_bash)<BR /><BR />time - ppid - pid - exe<BR />1. time2 -&nbsp;<SPAN>981804</SPAN>&nbsp;-&nbsp;991885,&nbsp;991885 - curl, bash</P><P>2. time2 -<SPAN>981804 -&nbsp;991940,&nbsp;991940 - curl, sh</SPAN></P><P><SPAN>Thanks again.</SPAN></P> Mon, 20 Dec 2021 07:10:29 GMT https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578868#M201742 splunkxorsplunk 2021-12-20T07:10:29Z https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578952#M201776 <LI-CODE lang="markup">| makeresults | eval _raw="ppid,pid,exe 981804,991701,ls 981804,991819,rm 981804,990820,curl 981804,990821,sh 981804,991019,ls 981804,991886,bash 981804,991885,curl 981804,990940,bash 981804,991940,curl 981804,990770,ls 981804,990997,sleep 981804,990939,curl 981804,991841,ls 981804,991941,sh" | multikv forceheader=1 | table _time ppid pid exe | where match(exe,"curl|wget|bash|sh") | sort 0 ppid pid | eval curl_wget_time=if(match(exe,"curl|wget"),_time,null()) | eval bash_sh_time=if(match(exe,"bash|sh"),_time,null()) | eval curl_wget_exe=if(match(exe,"curl|wget"),exe,null()) | eval bash_sh_exe=if(match(exe,"bash|sh"),exe,null()) | eval curl_wget_pid=if(match(exe,"curl|wget"),pid,null()) | eval bash_sh_pid=if(match(exe,"bash|sh"),pid,pid+1) | stats values(curl_wget_pid) as curl_wget_pid values(curl_wget_time) as curl_wget_time values(bash_sh_time) as bash_sh_time values(curl_wget_exe) as curl_wget_exe values(bash_sh_exe) as bash_sh_exe by ppid bash_sh_pid | fieldformat curl_wget_time=strftime(curl_wget_time,"%F %T") | fieldformat bash_sh_time=strftime(bash_sh_time,"%F %T")</LI-CODE> Mon, 20 Dec 2021 17:31:45 GMT https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578952#M201776 ITWhisperer 2021-12-20T17:31:45Z https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578955#M201779 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;This is what I was exactly looking for, well done.</P><P>appreciate your help!</P><P>Best,</P> Mon, 20 Dec 2021 17:43:47 GMT https://community.splunk.com/t5/Splunk-Search/Two-condition-match-sequential-number-pid-and-certain-values-on/m-p/578955#M201779 splunkxorsplunk 2021-12-20T17:43:47Z