Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Show results only when EventCodes occur in a specific sequence

wgawhh5hbnht
Communicator
‎08-22-2019 02:22 PM

I'm attempting to find events when EventCodes occur in 1, 3, 13, then 4689. (Detection of psexec via windows logs). Here is what I've come up with:

index=windows (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689)
 | streamstats count(eval(EventCode="1" OR EventCode="3" OR EventCode="13" OR EventCode=4689)) AS sessionID BY host
 | transaction host startswith=1 endswith=4689

The problem is the search takes forever to complete and either we don't have any psexec running in the environment or the search isn't correct. Can someone take a look at the logic to determine if I'm on the right path, if this returns any results, & if there is a better way to search for this? Thank you in advance!

0 Karma
Reply

Sukisen1981
Champion
‎08-22-2019 11:18 PM

if you remove everything after the first pipe , is the search executing for just index=windows (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689) ?
if that is taking too long , can you try these 2 options?
index=windows |fields EventCode|where (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689)
OR
index=windows EventCode=|where (EventCode=1 OR EventCode=3 OR EventCode=13 OR EventCode=4689)

does it make a difference?

0 Karma
Reply

wgawhh5hbnht
Communicator
‎08-23-2019 06:18 AM

The portion that takes a long time is
| transaction host startswith=1 endswith=4689

0 Karma
Reply

Sukisen1981
Champion
‎08-23-2019 11:51 AM

hi @wgawhh5hbnht
can you post a sample event? your command looks ok I am reasonably sure the event structure is different from what I am visualising atm.
PS - One tongue twister of a username 🙂 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...