Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Copy and Paste search string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Copy and Paste search string
Hi!
I am trying to create a report which I will use as a dashboard panel, to show me who has been copying and pasting files and folders. I want to know what has been copied and pasted, and where they have been pasted to. So far I have managed to look at all files read and written but I am unable figure out how to close my search down to show me only instances that have both "read" and "write" Accesses, or Is there a better way to do this? My search string in progress is below:
index=windowslogindex EventCode=4663 AND Object_Type=File Accesses="ReadData (or ListDirectory)" | Append [search index=windowslogindex EventCode=4663 AND Object_Type=File Accesses="WriteData (or AddFile)"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@daviess158 which is the field that will give you unique filename?
Instead of writing the append (which will have subsearch limitation you can just bring the data from index for both Read and Write access
index=windowslogindex EventCode=4663 AND Object_Type=File (Accesses="ReadData (or ListDirectory)" OR Accesses="WriteData (or AddFile)")
Then if the file name fields is filename(provide the actual file name field based on your indexed data) for example you can get the Access Types using stats command. Finally through a search find out events which have both Read and Write access.
| stats values(Accesses) as Accesses by filename
| search Accesses="ReadData (or ListDirectory)" AND Accesses="WriteData (or AddFile)")
Following is a run anywhere example based on Splunk's _internal index
index=_internal sourcetype=splunkd component=* (log_level="WARN" OR log_level="ERROR")
| stats values(log_level) as log_level by component
| search log_level="WARN" AND Accesses="ERROR"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=windowslogindex EventCode=4663 AND Object_Type=File Accesses="ReadData (or ListDirectory)" OR Accesses="WriteData (or AddFile)" | stats dc(Accesses) as Count by "Insatnce ID or filename"
now where ever count = 2 those files will have logs for both read and write accesses.
I hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sidd
Thanks, sorry for the late reply, I haven't been able to get online for a while!
I was wondering why the info in the second line was grey'd out, I have tried the string you suggested but nothing comes up in the statistics tab nothing shows.
Can you tell me if there is something else I can try? or help me amend the string please?
Stu
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
