- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Comparing Field Names and Values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've run into a problem: Splunk ingests Window's security events in such a way that field names may occur more than once and have different values assigned. (e.g., 'Security_ID' can equate to any of the following: alpha-numeric account SID, actual account name, or even account group) I want to compose a search that compares the SIDs from two different events and gives results if a match is found. Something like:
Search for two events, A & B, occurring within 5 seconds of each other, where A possesses an alpha-numeric SID that exactly matches an alpha-numeric SID listed in event B.
The alpha-numeric value is not known in advance. Any insight on how to do this? Your help is much appreciated!
-Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably want to look at a certain SID in the events, either the first or the second, and compare that SID across events. Since the Security_ID is present more than once in these events, Splunk creates what is called a multivalued field. The individual values of the field can be accessed with various functions. You can then build so-called transactions based on this, e.g.
your search for events | eval sid2 = mvindex(Security_ID, 1) | transaction sid2 maxpause=5s
Read more here;
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Transaction
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably want to look at a certain SID in the events, either the first or the second, and compare that SID across events. Since the Security_ID is present more than once in these events, Splunk creates what is called a multivalued field. The individual values of the field can be accessed with various functions. You can then build so-called transactions based on this, e.g.
your search for events | eval sid2 = mvindex(Security_ID, 1) | transaction sid2 maxpause=5s
Read more here;
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Transaction
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly what I needed - thanks again!
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
