Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In Windows Security logs while using transaction why am I unable to get proper results?

zaynaly
Explorer
‎09-24-2018 05:42 AM 
 sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) |  transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false | table _time,host,EventCode,Account_Name

I'm trying to query for all computers and find the event code 5059 followed with an event 4648 within 5 seconds from the same computer. However, the search results return events from 2 different computers and matches them to the same transaction. How can I improve this search query?

alt text

Preview file
98 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-24-2018 06:08 AM

It may be the only thing you are actually missing is the field list to match on.

sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) 
| transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
| table _time,host,EventCode,Account_Name

Add that host to the end of the transaction says to only connect them on where host is the same.

Happy Splunking!
-Rich

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-24-2018 06:08 AM

It may be the only thing you are actually missing is the field list to match on.

sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) 
| transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
| table _time,host,EventCode,Account_Name

Add that host to the end of the transaction says to only connect them on where host is the same.

Happy Splunking!
-Rich

0 Karma
Reply
Solved! Jump to solution

zaynaly
Explorer
‎09-25-2018 07:07 AM

Is there any way to add 3 or more consecutive events to the transacation? I see only start and end, meaning only 2 events?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎09-25-2018 07:19 AM

If there were three or more consecutive events, they would all be added in. You can possibly see this already if you check the field "eventcount".

OH! I see why. Sorry, I wasn't paying close enough attention.

In the initial search, you search ONLY for (EventCode=5059 OR EventCode=4648). So that's all you get. And if you then build a transaction starting with 5059 and ending with 4648...

Try removing that bit.

 sourcetype="WinEventLog:Security" host=PC*  
 | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
 | table _time,host,EventCode,Account_Name

Let me know if that's better. 🙂

-Rich

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...