topic Re: Is there a better way of searching across a range of EventCodes? in Splunk Search

Is there a better way of searching across a range of EventCodes?

soniquella — Tue, 25 Oct 2016 07:38:34 GMT

Good morning.

I am currently constructing a number of reports showing information relating to our domain controllers.

E.g.
host=domaincontrollers* EventCode=>4944 OR EventCode<=4945 OR EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=4949 OR EventCode=4950 OR EventCode=4951 OR EventCode=4952 OR EventCode=4953 OR EventCode=4954 OR EventCode=4957 OR EventCode=4958

This report should list MPSSVC Rule-Level Policy Changes for the Windows Firewall on the domain controllers.

When there are ranges of event codes available (as above with EventCode 4944-4954) is there a better way to capture all events in a more efficient way?

Many thanks in advance for any help you can offer.

Kind regards,

Rob.

Re: Is there a better way of searching across a range of EventCodes?

gcusello — Tue, 25 Oct 2016 08:30:07 GMT

Hi soniquella,

For me, the best way to manage situations like yours is to use a lookup table so you can change also in a second time the list of your eventcodes:

create a lookup, e.g.: "eventcodes.csv" with one or two columns (two if you need also a description of EventCode) with attention to use the same name of the field (EventCode);
modify your search host=domaincontrollers* [ | inputlookup eventcodes.csv | fields EventCode ] | ...

In this way you have in your search all the EventCodes of your lookup with an OR condition.

Bye.
Giuseppe

Re: Is there a better way of searching across a range of EventCodes?

cmerriman — Tue, 25 Oct 2016 12:12:17 GMT

if it is always going to be those eventcodes, host=domaincontrollers* EventCode=>4944 EventCode<=4945should be fine, you shouldn't have to list out all of the other codes.