Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Match 2 Windows Events around the same time

willadams
Contributor
‎07-24-2019 01:26 AM

I am trying to write a simple rule that correlates 2 events that would occur at the same time. For example an account that is disabled would have the following 2 events logged, 4625 and 4768. 4768 would have the type (i.e. transaction type 0x12) where 4625 woild have a failure also loogged saying "account is disabled"). I can find both of these as seperate events but how do I correlate them.

For example if I did say sourcetype="winseclogs" Eventcode=4768 I would get the info for that search and that showed Account_Name=test _time=20190101 0600. If I then did say sourcetype="winseclogs" Eventcode=4625 I would get the info for that search and that showed Account_Name=test Failure Reason="Account is disabled" _time=20190101 0600 (or even to account for slightl drift). How would I correlate these into a single search?

I tried this and it looks like it should work but not too sure sourcetype=winseclogs Eventcode=4768 [search sourcetype=winseclogs Eventcode=4625 | fields Account_Name _time]

0 Karma
Reply

dmarling
Builder
‎07-24-2019 07:48 AM

You can create a transaction that will accomplish this with the Account_Name as your field you join on:

sourcetype="winseclogs" (Eventcode=4625 OR Eventcode=4768)
| transaction Account_Name maxspan=5s
| search Eventcode=4625 Eventcode=4768

That will join the events together if they happen within 5 seconds of each other. If they truly always occur at the same exact time then you can drop that down to 1s.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...