Knowledge Management

In Windows Security logs while using transaction why am I unable to get proper results?

zaynaly
Explorer
 sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) |  transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false | table _time,host,EventCode,Account_Name

I'm trying to query for all computers and find the event code 5059 followed with an event 4648 within 5 seconds from the same computer. However, the search results return events from 2 different computers and matches them to the same transaction. How can I improve this search query?

alt text

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

It may be the only thing you are actually missing is the field list to match on.

sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) 
| transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
| table _time,host,EventCode,Account_Name

Add that host to the end of the transaction says to only connect them on where host is the same.

Happy Splunking!
-Rich

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

It may be the only thing you are actually missing is the field list to match on.

sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) 
| transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
| table _time,host,EventCode,Account_Name

Add that host to the end of the transaction says to only connect them on where host is the same.

Happy Splunking!
-Rich

0 Karma

zaynaly
Explorer

Is there any way to add 3 or more consecutive events to the transacation? I see only start and end, meaning only 2 events?

0 Karma

Richfez
SplunkTrust
SplunkTrust

If there were three or more consecutive events, they would all be added in. You can possibly see this already if you check the field "eventcount".

OH! I see why. Sorry, I wasn't paying close enough attention.

In the initial search, you search ONLY for (EventCode=5059 OR EventCode=4648). So that's all you get. And if you then build a transaction starting with 5059 and ending with 4648...

Try removing that bit.

 sourcetype="WinEventLog:Security" host=PC*  
 | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
 | table _time,host,EventCode,Account_Name

Let me know if that's better. 🙂

-Rich

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...