Getting Data In

How Do I assign src_ip to all event codes those are having same Logon_ID?

90509
Engager

I would like to assign src_ip to all events who is having same logon_id. but the src_ip coming only to EventCode=4624.
could you please let me know

Tags (1)
0 Karma

to4kawa
Ultra Champion

Updated:

index=wineventlog EventCode=* Logon_ID!="0x0"
| eventstats values(src_ip) as src_ip by Logon_ID
| stats values(EventCode) as EventCode by Logon_ID src_ip

Hi, @90509
How about this?

0 Karma

90509
Engager

I appreciate your help but I need want the table like

suppose if take one logon_ID for that Logon_ID having number of event codes like EventCode=4624 or 4625 0r 4672 or 4648, so in this scenario all the events codes having same Logon_Id but for EventCode=4624 only having src_ip. so need to fetch the results along with src_ip assigning the Events or EventCodes having same Logon_ID.

0 Karma

90509
Engager

from according your query if there is no src_ip for any eventcodes which is not populating but I want all event codes who is having same Logon_ID will be assigned with same src_ip.

0 Karma

to4kawa
Ultra Champion

How Do I assign src_ip to all event codes those are having same Logon_ID?

I think it has nothing to do with the table display.
I updated the answer, but I'm not sure.

0 Karma

to4kawa
Ultra Champion

EventCode=4624 has both src_ip and logon_id?

0 Karma

90509
Engager

yes but some events having only Logon_Id so for those need to assign src_ip as well

0 Karma

90509
Engager

Do I need to perform any join operations

I have tried this but it's not working
index=wineventlog EventCode=*
| where Logon_ID !="0x0"
|stats count by src_ip,Logon_ID,EventCode
|join
[ search index="wineventlog" EventCode=4624
| where Logon_ID !="0x0"
|stats count by src_ip,Logon_ID,EventCode]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...