Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Apply condition and filter results

alex4
Loves-to-Learn Lots
‎10-05-2023 12:39 PM

Kindly help me with a new SPL

In am getting results for the existing below SPL.

I tried applying a new condition in existing SPL EventID=4662 Properties=*EncryptedDSRMPasswordHistory. But i am getting the unwanted results for EventID4662.

So I want the existing SPL result to compare the below new condition and filter the result if Properties result has "msLAPS-Password". 

New Condition:

index=winsec_prod EventID=4662 Properties=*EncryptedDSRMPasswordHistory*

Existing SPL:

 

 

index=winsec_prod 4794 OR (4657 AND DSRMAdminLogonBehavior) OR ((4104 OR 4103) AND DsrmAdminLogonBehavior)
| search ((EventCode=4794) OR (EventCode=4657 ObjectName="*HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior*") OR (EventCode IN (4104,4103) ScriptBlockText="*DsrmAdminLogonBehavior*"))
| eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName)
| stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username
| rename values(*) as *

 

 

 

Labels (7)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-05-2023 11:07 PM

Hi @alex4 ,

at first, using the search command after the main search you have a slower search, the best prectices say to put the search terms as left as possible.

Then, don't use the search for terms (e.g. 4794 or 4657) when tese values are extracted in the EventCode field

then whar are the unwanted results with the search you're using?

did you tried to add the last condition you shared to your starting search?

Last information: can the properties field have two values in the same event: Properties="msLAPS-Password" AND Properties=*EncryptedDSRMPasswordHistory.

I try to re-write your starting search with the hinted updates:

index=winsec_prod EventCode=4794 OR (EventCode=4657 DSRMAdminLogonBehavior) OR (EventCode IN (4104,4103) DsrmAdminLogonBehavior) ((EventCode=4794) OR (EventCode=4657 ObjectName="*HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior*") OR (EventCode IN (4104,4103) ScriptBlockText="*DsrmAdminLogonBehavior*"))
| eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName)
| stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username
| rename values(*) as *

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2023 12:32 AM

@gcuselloLuckily, Splunk is quite resourceful and can optimize some searches on its own.

For example - take this search from my local splunk at home

index=_internal host=backup1.local 
| search source="/var/log/audit/audit.log"

if you get to job details dashboard you will see this:

PickleRick_0-1696577327087.png

As you can see - the chained searches have been merged into a single search which will be performed in the map phase (normally would be pushed to indexers but my environment is all-in-one in this case).

I wouldn't normally rely on Splunk's ability and would try to make the search "good" anyway but it's worth knowing that chaining searches does not necessarily hurt the performance on its own.

Of course if you do something in between like

| search | calculate_some_fields | search from_those_fields

It won't be optimized out because you still have to calculate those fields first so YMMV. So it's not that easy 😉

0 Karma
Reply

_JP
Contributor
‎10-05-2023 01:24 PM

Hi @alex4 -

Does something like this help you get to where you want to be:

 

index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory*
| eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName)
| stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username

 

 

You were referring to EventID in your New Condition, but your SPL was using a field name of EventCode.  Also, it looks like the ObjectName field contains the EncryptedDSRMPasswordHistory based on the SPL you shared instead of the Properties field given in your New Condition. 

Also, I removed the | search  in my SPL sample.  There's an implied search command happening for SPL, and so if you have | search as your first commmand you can collapse the boolean expression into the first implied search.  🙂 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...