Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In Windows Security logs while using transaction why am I unable to get proper results?

zaynaly
Explorer
‎09-24-2018 05:42 AM 
 sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) |  transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false | table _time,host,EventCode,Account_Name

I'm trying to query for all computers and find the event code 5059 followed with an event 4648 within 5 seconds from the same computer. However, the search results return events from 2 different computers and matches them to the same transaction. How can I improve this search query?

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-24-2018 06:08 AM

It may be the only thing you are actually missing is the field list to match on.

sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) 
| transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
| table _time,host,EventCode,Account_Name

Add that host to the end of the transaction says to only connect them on where host is the same.

Happy Splunking!
-Rich

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-24-2018 06:08 AM

It may be the only thing you are actually missing is the field list to match on.

sourcetype="WinEventLog:Security" host=PC* (EventCode=5059 OR EventCode=4648) 
| transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
| table _time,host,EventCode,Account_Name

Add that host to the end of the transaction says to only connect them on where host is the same.

Happy Splunking!
-Rich

0 Karma
Reply
Solved! Jump to solution

zaynaly
Explorer
‎09-25-2018 07:07 AM

Is there any way to add 3 or more consecutive events to the transacation? I see only start and end, meaning only 2 events?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎09-25-2018 07:19 AM

If there were three or more consecutive events, they would all be added in. You can possibly see this already if you check the field "eventcount".

OH! I see why. Sorry, I wasn't paying close enough attention.

In the initial search, you search ONLY for (EventCode=5059 OR EventCode=4648). So that's all you get. And if you then build a transaction starting with 5059 and ending with 4648...

Try removing that bit.

 sourcetype="WinEventLog:Security" host=PC*  
 | transaction maxspan=5s startswith=eval(EventCode=5059) endswith=eval(EventCode=4648) keeporphans=false host
 | table _time,host,EventCode,Account_Name

Let me know if that's better. 🙂

-Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...