Getting Data In

Show results only when EventCodes occur in a specific sequence

wgawhh5hbnht
Communicator

I'm attempting to find events when EventCodes occur in 1, 3, 13, then 4689. (Detection of psexec via windows logs). Here is what I've come up with:

index=windows (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689)
 | streamstats count(eval(EventCode="1" OR EventCode="3" OR EventCode="13" OR EventCode=4689)) AS sessionID BY host
 | transaction host startswith=1 endswith=4689

The problem is the search takes forever to complete and either we don't have any psexec running in the environment or the search isn't correct. Can someone take a look at the logic to determine if I'm on the right path, if this returns any results, & if there is a better way to search for this? Thank you in advance!

0 Karma

Sukisen1981
Champion

if you remove everything after the first pipe , is the search executing for just index=windows (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689) ?
if that is taking too long , can you try these 2 options?
index=windows |fields EventCode|where (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689)
OR
index=windows EventCode=|where (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689)

does it make a difference?

0 Karma

wgawhh5hbnht
Communicator

The portion that takes a long time is
| transaction host startswith=1 endswith=4689

0 Karma

Sukisen1981
Champion

hi @wgawhh5hbnht
can you post a sample event? your command looks ok I am reasonably sure the event structure is different from what I am visualising atm.
PS - One tongue twister of a username 🙂 🙂

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...