https://community.splunk.com/t5/Splunk-Search/Quick-SPL-help-with-Windows-Logs/m-p/594354#M206863 <P>Depending on the data using maxspan of 3 days for transaction is going to be difficult to diagnose. It will silently handle buffer/memory size issues, so you will rarely know if your results are reliable.</P><P>I would always starts with stats, e.g.</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;search&gt; EventCode=1000 OR EventCode=1001 OR EventCode=1002 | stats list(_time) as times list(EventCode) as Codes by ComputerName | where mvcount(Codes)=1 AND mvindex(Codes,0)="1000"</LI-CODE><P>&nbsp;</P><P>Assuming the search is run from the Friday to some point later, then this would return you all ComputerName results where there is ONLY a single result for ComputerName and it is a 1000 EventCode</P><P>Effectively this gives you all the open scans currently in progress.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 20 Apr 2022 03:14:30 GMT bowesmana 2022-04-20T03:14:30Z https://community.splunk.com/t5/Splunk-Search/Quick-SPL-help-with-Windows-Logs/m-p/594251#M206827 <P>Good day all,</P><P>I come to seek guidance from the experts <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>My team and I have been tasked with creating an alert that will capture hosts that start a Windows AV scan (EventCode=1000) on a Friday and don't complete by Monday. These long running scans are causing issues in the environment and we are hoping to tackle them before the start of business on Monday.</P><P>The hosts log EventCode=1001 OR EventCode=1002 when they have stopped their scan.</P><P>We have attempted to put together a couple queries, one using a subsearch that grabs all hosts who have logged EventCode=1000 that is piped into an outer search that does a NOT EventCode=1001 OR EventCode=1002 and the second using the transaction command with the following syntax:</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;base search&gt; | transaction maxspan=3d startswith=EventCode="1000" endswith=(EventCode="1001" OR EventCode="1002") keeporphans=true | where _txn_orphan=1 | stats count by ComputerName</LI-CODE><P>&nbsp;</P><P>but get no results. I do know that the transaction command is a hog and is generally recommended against. I wanted to ask the collective any thoughts or ideas on this to see the best practice for this type of search. I have read a couple posts using streamstats but I'm not sure if this is the best route for this specific example here As always, it is greatly appreciated.&nbsp;</P> Tue, 19 Apr 2022 12:29:21 GMT https://community.splunk.com/t5/Splunk-Search/Quick-SPL-help-with-Windows-Logs/m-p/594251#M206827 dfurtaw 2022-04-19T12:29:21Z https://community.splunk.com/t5/Splunk-Search/Quick-SPL-help-with-Windows-Logs/m-p/594354#M206863 <P>Depending on the data using maxspan of 3 days for transaction is going to be difficult to diagnose. It will silently handle buffer/memory size issues, so you will rarely know if your results are reliable.</P><P>I would always starts with stats, e.g.</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;search&gt; EventCode=1000 OR EventCode=1001 OR EventCode=1002 | stats list(_time) as times list(EventCode) as Codes by ComputerName | where mvcount(Codes)=1 AND mvindex(Codes,0)="1000"</LI-CODE><P>&nbsp;</P><P>Assuming the search is run from the Friday to some point later, then this would return you all ComputerName results where there is ONLY a single result for ComputerName and it is a 1000 EventCode</P><P>Effectively this gives you all the open scans currently in progress.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 20 Apr 2022 03:14:30 GMT https://community.splunk.com/t5/Splunk-Search/Quick-SPL-help-with-Windows-Logs/m-p/594354#M206863 bowesmana 2022-04-20T03:14:30Z