All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a table with some column swith WinEventLog:Application sort by event 33205?

atyshke1
Path Finder
‎07-30-2018 11:25 PM

Hello,
Our SQL upload SQL audit data in App log of windows. But I can't find solution how can I create a table with some columns.
App log is:

07/30/2018 10:45:06 AM
LogName=Application
SourceName=MSSQLSERVER
EventCode=33205
EventType=0
Type=Information
ComputerName=xxx02065.xxxx.xxxx.com
TaskCategory=None
OpCode=None
RecordNumber=8975014
Keywords=Audit Success, Classic
Message=Audit event: audit_schema_version:1
event_time:2018-07-30 07:45:05.2846868
sequence_number:1
action_id:CR  
succeeded:true
is_column_permission:false
session_id:65
server_principal_id:303
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
class_type:DB
permission_bitmask:00000000000000000000000000000000
sequence_group_id:18A26E68-7F51-4E14-AD09-4C3610B28C7C
session_server_principal_name:XX1\ADMIN
server_principal_name:XX1\ADMIN
server_principal_sid:0105000000000005150000007a280b4f8541136d9540f20e48f01600
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:xxx02065
database_name:master
schema_name:
object_name:
statement:RESTORE LABELONLY FROM DISK=@P1
additional_information:
user_defined_information:

I create a table use a code:

source="WinEventLog:App*" index="wineventlog" "eventcode=33205" | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | eval Stat=statement | eval Account=server_principal_name | rename host as Host | stats Count by Date, Host | table Host, Date, Stat, Account, Count

But columns Stat and Account is empty 😞
What I do is wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-30-2018 11:39 PM

[UPDATED ANSWER] Added regular expression extraction for server_principal_name and statement as needed in the query.

| rex "server_principal_name:(?<server_principal_name>.*)"
| rex "statement:(?<statement>.*)"

@atyshke1, since you plan to group count of events by Host, Stats Account and Date, you would need to choose the span of time to bucket Date like hourly or daily etc (otherwise only if multiple events occur at the exact same time then they will be counted as aggregate). Following is an example where I have chosen span=1s or 1 second as your time format had precision up to seconds.

source="WinEventLog:App*" index="wineventlog" "eventcode=33205" 
| bin _time span=1s
| rex "server_principal_name:(?<server_principal_name>.*)"
| rex "statement:(?<statement>.*)"
| stats count as Count by _time, host, statement, server_principal_name
| fieldformat _time=strftime(_time, "%Y/%m/%d %H:%M:%S")
| rename statement as Stat, server_principal_name  as Account, host as Host

The above uses fields extracted during search time field discovery in stats command and then uses rename and fieldformat to format the field names and time to be displayed in user friendly manner.

Please try out and confirm.
You can try the following if you need daily count. You can try other options like hourly etc on similar lines.

source="WinEventLog:App*" index="wineventlog" "eventcode=33205" 
| bin _time span=1d
| rex "server_principal_name:(?<server_principal_name>.*)"
| rex "statement:(?<statement>.*)"
| stats count as Count by _time, host, statement, server_principal_name
| fieldformat _time=strftime(_time, "%Y/%m/%d")
| rename statement as Stat, server_principal_name  as Account, host as Host
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

atyshke1
Path Finder
‎07-31-2018 12:44 AM

I use this one:
source="WinEventLog:App*" index="wineventlog" host=$EventHost$ EventCode=$EventCode$ | bin _time span=1d | rex "server_principal_name:(?<UserName>\S+)" | eval Account=coalesce(principal_name,UserName) | rex "statement:(?<Stat>\S+.\S+.\S+.\S+)" | eval Statement=coalesce(St,Stat) | eval Date=strftime(_time, "%Y/%m/%d") | rename host as Host | stats count as Count by Host, Date, Statement, Account

It seems works good.

But your code will be better. Thank you!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-31-2018 12:47 AM

@atyshke1 if it has helped, do accept the answer to mark this question as answered and up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-31-2018 01:47 AM

@atyshke1, you accepted your own answer instead of mine. Please correct. Do up vote the comments that helped as well!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

atyshke1
Path Finder
‎07-31-2018 12:04 AM

I am working with that, may be eval can help me extract exact fields:

source="WinEventLog:App*" index="wineventlog" "eventcode=33205" | rex "\sserver_principal_name:(?\S+)" | eval Account=coalesce(principal_name,UserName) | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") | rename host as Host | stats count as Count by Date, Host | table Host, Date, Stat, Account, Count

What do you think?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-31-2018 12:19 AM

@atyshke1, as per your previous query I was under impression that fields server_principle_name and statement are already extracted. You can try with the rex command to see if it works and create your own Field Extraction after testing the regular expression.

Following is a run anywhere search based on sample event:

| makeresults 
| eval _raw="07/30/2018 10:45:06 AM
LogName=Application
SourceName=MSSQLSERVER
EventCode=33205
EventType=0
Type=Information
ComputerName=xxx02065.xxxx.xxxx.com
TaskCategory=None
OpCode=None
RecordNumber=8975014
Keywords=Audit Success, Classic
Message=Audit event: audit_schema_version:1
event_time:2018-07-30 07:45:05.2846868
sequence_number:1
action_id:CR 
succeeded:true
is_column_permission:false
session_id:65
server_principal_id:303
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
class_type:DB
permission_bitmask:00000000000000000000000000000000
sequence_group_id:18A26E68-7F51-4E14-AD09-4C3610B28C7C
session_server_principal_name:XX1\ADMIN
server_principal_name:XX1\ADMIN
server_principal_sid:0105000000000005150000007a280b4f8541136d9540f20e48f01600
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:xxx02065
database_name:master
schema_name:
object_name:
statement:RESTORE LABELONLY FROM DISK=@P1
additional_information:
user_defined_information:" 
| eval host="test"
| KV 
| bin span=1d _time
| rex "server_principal_name:(?<server_principal_name>.*)" 
| rex "statement:(?<statement>.*)" 
| stats count as Count by _time, host, statement, server_principal_name 
| fieldformat _time=strftime(_time, "%Y/%m/%d") 
| rename statement as Stat, server_principal_name as Account, host as Host

PS: Pipes from makeresults till KV are used to generate dummy data as per your question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

atyshke1
Path Finder
‎07-30-2018 11:59 PM

If I try source="WinEventLog:App*" index="wineventlog" "eventcode=33205" | stats count as Count by _time, host
Works fine and show some data in a search. If I insert statement or server_principal_name search doesn't find anything...

0 Karma
Reply
Solved! Jump to solution

atyshke1
Path Finder
‎07-30-2018 11:50 PM

It doesn't work. Searching doesn't show any information

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-30-2018 11:39 PM

[UPDATED ANSWER] Added regular expression extraction for server_principal_name and statement as needed in the query.

| rex "server_principal_name:(?<server_principal_name>.*)"
| rex "statement:(?<statement>.*)"

@atyshke1, since you plan to group count of events by Host, Stats Account and Date, you would need to choose the span of time to bucket Date like hourly or daily etc (otherwise only if multiple events occur at the exact same time then they will be counted as aggregate). Following is an example where I have chosen span=1s or 1 second as your time format had precision up to seconds.

source="WinEventLog:App*" index="wineventlog" "eventcode=33205" 
| bin _time span=1s
| rex "server_principal_name:(?<server_principal_name>.*)"
| rex "statement:(?<statement>.*)"
| stats count as Count by _time, host, statement, server_principal_name
| fieldformat _time=strftime(_time, "%Y/%m/%d %H:%M:%S")
| rename statement as Stat, server_principal_name  as Account, host as Host

The above uses fields extracted during search time field discovery in stats command and then uses rename and fieldformat to format the field names and time to be displayed in user friendly manner.

Please try out and confirm.
You can try the following if you need daily count. You can try other options like hourly etc on similar lines.

source="WinEventLog:App*" index="wineventlog" "eventcode=33205" 
| bin _time span=1d
| rex "server_principal_name:(?<server_principal_name>.*)"
| rex "statement:(?<statement>.*)"
| stats count as Count by _time, host, statement, server_principal_name
| fieldformat _time=strftime(_time, "%Y/%m/%d")
| rename statement as Stat, server_principal_name  as Account, host as Host
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...