topic Re: EventCode Subsearch in Splunk Search

EventCode Subsearch

jeradb — Thu, 22 Feb 2024 16:27:30 GMT

I have an application that I am trying to monitor. There is a specific event code for when the tool is opened to modify the tool (EventCode=250). There is an EventCode for when it is closed (EventCode=100). These two codes display a user name, but the events between them do not. How can I write a search to look for these two events then display the changes between them with the username who completed the change?

| from datamodel:P3 | search EventCode=250 OR 100 OR 70 OR 80 | eval user = coalesce(User, Active_User) | eval Event_Time=strftime(_time,"%m/%d/%y %I:%M:%S %P") | table Event_Time, host,user,Device_Added,Device_SN,Device_ID,EventCode, EventDescription

Event_Time host user Device_Added Device_SN Device_ID EventCode
02/22/24 08:49:44 am Test-Com xxxxx 100
02/21/24 03:59:12 pm Test-Com xxxxx 250
02/21/24 03:56:08 pm Test-Com xxxxx 100
02/21/24 03:56:00 pm Test-Com USB 1 12345 PID_1 70
02/21/24 03:56:00 pm Test-Com USB 2 6789 PID_2 70
02/21/24 03:51:10 pm Test-Com USB 1 12345 PID_1 80
02/21/24 03:50:44 pm Test-Com xxxxx 250

Re: EventCode Subsearch

yuanliu — Thu, 22 Feb 2024 17:26:23 GMT

If the illustrated fields are all you have, the only link between 250 -> 100 (with user) and the rest of events (without) is host. I highly doubt if this can be sufficient to determine what a user have done between 250 and 100, unless this tool is strictly single-user and no other things can generate any of these events.

If the tool is single-user only, you can use transaction to group these events together, like

| transaction host startswith="EventCode=250" endswith="EventCode=100"

Once transactions are established, you can then glean completed transactions for event codes that are not 250 and 100. For example,

| transaction host startswith="EventCode=250" endswith="EventCode=100" | stats values(EventCode) as EventCode values(user) as user by host | eval EventCode = mvfilter(NOT EventCode IN ("250", "100"))

Hope this helps.

Re: EventCode Subsearch

jeradb — Thu, 22 Feb 2024 20:41:58 GMT

@yuanliu Is there a way to say if EventCode=70 look upstream for EventCode=250 and join User? I am only trying to capture who created the event.

Re: EventCode Subsearch

yuanliu — Thu, 22 Feb 2024 21:28:50 GMT

This is very much a question of efficiency. If you have a relatively small number of event 70 in a short period of time, but event 250 was some long time ago, using subsearch would be more efficient than retrieving both types of events for a long period of time.

You also need to tell us which EventCode's give you User, which give you Active_User. Assuming that EventCode 250 gives you Active_User but 70 gives you User, you can do something like

| from datamodel:P3 | search EventCode=250 earliest=-1mon ``` earliest value for demonstration purpose only ``` [from datamodel:P3 | search EventCode=70 earliest=-1h ``` earliest value for demonstration purpose only ``` | stats values(User) as Active_User ``` assuming User is present in EventCode 70 to matche Active_User in EventCode 250 ]