https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/709018#M239662 <P>thanks a lot, that was the solution !&nbsp;</P> Thu, 16 Jan 2025 18:24:09 GMT avoelk 2025-01-16T18:24:09Z https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/708265#M239525 <P>I'm trying to create a search in which the following should be done:&nbsp;</P> <P>- look for a user creation process (ID 4720)</P> <P>- and then look (for the same user) if there is a follow up group adding event (4728) for privileged groups like (512,516 etc.)&nbsp;</P> <P>&nbsp;</P> <P>my SPL was so far like that:&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=lalala source=lalala EventID=4720 OR 4728 PrimaryGroupId IN (512,516,517,518,519)</LI-CODE> <P>&nbsp;</P> <P>BUT that way I only look for either a user creation OR a user being added as a privileged user. but I want to like both. I understand that I need to somehow connect those two searches but I don't know how exactly.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 08 Jan 2025 17:25:41 GMT https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/708265#M239525 avoelk 2025-01-08T17:25:41Z https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/708269#M239526 <P>Hello hello!</P><P>I think what you are looking for here is the `transaction` command, but it can have some extra over-head.&nbsp; I'll leave some examples here to see if they work for you. Since your requirement is simple, I suggest using the `stats` command instead of `transaction`. If you wanted to look at a specific EventID first and then another specific EventID after, `transaction` might be easier to implement.<BR /><BR /></P><P>Version using `transaction`:</P><P>&nbsp;</P><LI-CODE lang="markup">index=lalala source=lalala (EventID=4720 OR (EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519))) | transaction UserName maxspan=5m | search EventID=4720 AND EventID=4728</LI-CODE><P>&nbsp;</P><P>Version using `stats`:</P><LI-CODE lang="markup">index=lalala source=lalala (EventID=4720 OR (EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519))) | stats values(EventID) AS EventIDs by UserName | search EventIDs=4720 EventIDs=4728</LI-CODE><P><BR />Edit: Fixing the code blocks.</P> Wed, 08 Jan 2025 21:11:56 GMT https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/708269#M239526 emlin_charly 2025-01-08T21:11:56Z https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/708294#M239534 <P>Hi</P><P>I think that this is place for sub query like</P><LI-CODE lang="markup">index=lalala source=lalala EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519) AND [ search index=lalala source=lalala EventID=4720 | fields UserName | dedup UserName | format ]</LI-CODE><P>In this way it first look those UserNames which has created and then that "outer" base search this those (UserName = "xxx" OR UserName = "yy"....)</P><P>If you are looking for long period then maybe there is better options too.</P><P>r. Ismo&nbsp;</P> Wed, 08 Jan 2025 20:34:54 GMT https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/708294#M239534 isoutamo 2025-01-08T20:34:54Z https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/709018#M239662 <P>thanks a lot, that was the solution !&nbsp;</P> Thu, 16 Jan 2025 18:24:09 GMT https://community.splunk.com/t5/Splunk-Search/Use-Case-for-Privileged-Users-SPL-Question/m-p/709018#M239662 avoelk 2025-01-16T18:24:09Z