Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search for users who have triggered multiple Windows Event Codes

trevorQmulos
New Member
‎08-30-2016 01:13 PM

I am looking for a way to show users who have matched three separate Windows Security Event Codes

IE user X has (EventCode 1 AND EventCode 2 AND EventCode 3) OR ( EventCode 4 AND EventCode 5 AND EventCode 6)-> output the three event codes + username to a table.

When I try to just use AND between EventCode, it looks for both of the EventCode numbers in the single field and doesn't find any of the results.

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎08-30-2016 01:40 PM

You could do it this way:

sourcetype=wineventlog* |stats values(EventCode) by ComputerName |rename values(EventCode) AS eventCodeList |search (eventCodeList=1002 AND eventCodeList=1004 AND eventCodeList=1006)

Basically I am pulling the values in the EventCode and grouping by ComputerName, I rename that field and then I do a subsearch for those 3 values in my initial result set. Depending on what you want the final result to look like, you may want to think about time frame, sequence of event codes and if you want to narrow your initial search to a smaller event code population to streamline the initial search. That said, hopefully this gets you on your way.

0 Karma
Reply

sundareshr
Legend
‎08-30-2016 01:22 PM

Try this

index=eventlogs (EventCode=1 OR EventCode=2 OR EventCode=3 OR EventCode=4 OR  EventCode=5 OR EventCode=6 | eval grp=if(EventCode=1 OR EventCode=2 OR EventCode=3, "Grp1", "Grp2") | chart values(EventCode) as ec by user grp | where (mvfilter(grp1, "1")>=0 AND mvfilter(grp1, "2")>=0 AND mvfilter(grp1, "3")>=0) OR (mvfilter(grp2, "4")>=0 AND mvfilter(grp2, "5")>=0 AND mvfilter(grp2, "6")>=0)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...