Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Apply condition and filter results

alex4
Loves-to-Learn Lots
‎10-05-2023 12:39 PM

Kindly help me with a new SPL

In am getting results for the existing below SPL.

I tried applying a new condition in existing SPL EventID=4662 Properties=*EncryptedDSRMPasswordHistory. But i am getting the unwanted results for EventID4662.

So I want the existing SPL result to compare the below new condition and filter the result if Properties result has "msLAPS-Password". 

New Condition:

index=winsec_prod EventID=4662 Properties=*EncryptedDSRMPasswordHistory*

Existing SPL:

 

 

index=winsec_prod 4794 OR (4657 AND DSRMAdminLogonBehavior) OR ((4104 OR 4103) AND DsrmAdminLogonBehavior)
| search ((EventCode=4794) OR (EventCode=4657 ObjectName="*HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior*") OR (EventCode IN (4104,4103) ScriptBlockText="*DsrmAdminLogonBehavior*"))
| eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName)
| stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username
| rename values(*) as *

 

 

 

Labels (7)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-05-2023 11:07 PM

Hi @alex4 ,

at first, using the search command after the main search you have a slower search, the best prectices say to put the search terms as left as possible.

Then, don't use the search for terms (e.g. 4794 or 4657) when tese values are extracted in the EventCode field

then whar are the unwanted results with the search you're using?

did you tried to add the last condition you shared to your starting search?

Last information: can the properties field have two values in the same event: Properties="msLAPS-Password" AND Properties=*EncryptedDSRMPasswordHistory.

I try to re-write your starting search with the hinted updates:

index=winsec_prod EventCode=4794 OR (EventCode=4657 DSRMAdminLogonBehavior) OR (EventCode IN (4104,4103) DsrmAdminLogonBehavior) ((EventCode=4794) OR (EventCode=4657 ObjectName="*HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior*") OR (EventCode IN (4104,4103) ScriptBlockText="*DsrmAdminLogonBehavior*"))
| eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName)
| stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username
| rename values(*) as *

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2023 12:32 AM

@gcuselloLuckily, Splunk is quite resourceful and can optimize some searches on its own.

For example - take this search from my local splunk at home

index=_internal host=backup1.local 
| search source="/var/log/audit/audit.log"

if you get to job details dashboard you will see this:

PickleRick_0-1696577327087.png

As you can see - the chained searches have been merged into a single search which will be performed in the map phase (normally would be pushed to indexers but my environment is all-in-one in this case).

I wouldn't normally rely on Splunk's ability and would try to make the search "good" anyway but it's worth knowing that chaining searches does not necessarily hurt the performance on its own.

Of course if you do something in between like

| search | calculate_some_fields | search from_those_fields

It won't be optimized out because you still have to calculate those fields first so YMMV. So it's not that easy 😉

0 Karma
Reply

_JP
Contributor
‎10-05-2023 01:24 PM

Hi @alex4 -

Does something like this help you get to where you want to be:

 

index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory*
| eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName)
| stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username

 

 

You were referring to EventID in your New Condition, but your SPL was using a field name of EventCode.  Also, it looks like the ObjectName field contains the EncryptedDSRMPasswordHistory based on the SPL you shared instead of the Properties field given in your New Condition. 

Also, I removed the | search  in my SPL sample.  There's an implied search command happening for SPL, and so if you have | search as your first commmand you can collapse the boolean expression into the first implied search.  🙂 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...