- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wgawhh5hbnht
Communicator
07-29-2019
08:48 AM
I'm attempting to find out when Windows event log service has been stopped/logs cleared but only when a shutdown command hasn't been issued. I'm assuming the best way to do this is to combine all the stopped EventCodes into 1 field, all the shutdown/restart EventCodes into another field, then search based on first & last of those 2 new fields, and remove any null Shutdown events. My questions are:
- Is this the best way to approach this problem? If not, what is?
- How do you go about combining the following together:
- clearedLogs = (EventCode=1102 OR EventCode=1100 OR EventCode=104)
- Shutdown = (EventCode=1074 OR EventCode=6006 OR EventCode=6008 OR EventCode=6005 OR EventCode=6009 OR EventCode=1076)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2019
09:58 PM
Try this:
index=<You should always specify and index> AND sourcetype=<And sourcetype too>
(EventCode="1102" OR EventCode="1100" OR EventCode="104") OR
(EventCode="1074" OR EventCode="6006" OR EventCode="6008" OR EventCode="6005" OR EventCode="6009" OR EventCode="1076")
| reverse
| streamstats count(eval(EventCode="1102" OR EventCode="1100" OR EventCode="104")) AS sessionID BY host
| stats list(_raw) AS Events values(EventCode) AS EventCodes count(eval(EventCode="1074" OR EventCode="6006" OR EventCode="6008" OR EventCode="6005" OR EventCode="6009" OR EventCode="1076")) AS shutdowns
BY sessionID host
| search shutdowns=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2019
09:58 PM
Try this:
index=<You should always specify and index> AND sourcetype=<And sourcetype too>
(EventCode="1102" OR EventCode="1100" OR EventCode="104") OR
(EventCode="1074" OR EventCode="6006" OR EventCode="6008" OR EventCode="6005" OR EventCode="6009" OR EventCode="1076")
| reverse
| streamstats count(eval(EventCode="1102" OR EventCode="1100" OR EventCode="104")) AS sessionID BY host
| stats list(_raw) AS Events values(EventCode) AS EventCodes count(eval(EventCode="1074" OR EventCode="6006" OR EventCode="6008" OR EventCode="6005" OR EventCode="6009" OR EventCode="1076")) AS shutdowns
BY sessionID host
| search shutdowns=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
07-29-2019
08:59 AM
Hi wgawhh5hbnht,
you could try something like this:
index=wineventlog (EventCode=1102 OR EventCode=1100 OR EventCode=104 OR EventCode=1074 OR EventCode=6006 OR EventCode=6008 OR EventCode=6005 OR EventCode=6009 OR EventCode=1076)
| eval type_of_action=if(EventCode="1102" OR EventCode="1100" OR EventCode="104", "clearedLogs", "Shutdown")
| stats earliest(_time) AS earliest latest(_time) AS latest values(type_of_action) AS type_of_action BY host
in this way for every host you have the first and the last event for each host.
Bye.
Giuseppe
