Splunk Search

Creating report search issues

DanAlexander
Communicator

Hi All,

I am trying to create an efficient way to pull out certain win events for my report but I am not sure it would return the results I want. It truncates some of the results. I might be doing something wrong. Please see the code that I am currently running and suggest an improvement. Thank you all!

 

index=mbda_windows_server sourcetype=XmlWinEventLog EventCode=4718 OR 4728 OR 4729 OR 4730 OR 4732 OR 4733 OR 4756 OR 4757 OR 4762 OR 4796 OR 5136

| dedup src_user, MemberSid, Group_Domain, Group_Name, host, _time 

| convert timeformat="%d/%m/%Y %H:%M" ctime(_time)

| rename src_user AS Login, MemberSid AS Account, Group_Domain AS Domain, Group_Name AS Group, host AS Host, _time AS Min_NormDateMin, name AS EventName

| table Login, Account, Domain, Group, Host, Min_NormDateMin, EventCode, EventName | sort EventCode

Labels (1)
Tags (3)
0 Karma
1 Solution

javiergn
Super Champion

If I understand correctly you want to remove duplicates based on a field with different names across certain events. If so simply create a field that is common across them with coalesce, as in:

| eval myfield = coalesce(fieldname1, fieldname2, fieldname3, ...)

 

Then use dedup based on myfield.

 

View solution in original post

DanAlexander
Communicator

Also, I wanted to know what would be the best way to automatically email the report results to me scheduled every day at 10 AM?

0 Karma

javiergn
Super Champion

Run the search, then click on "Save As" > Alert and chose your schedule and within "Trigger Actions" select "Send email". 

Screenshot 2022-07-21 at 10.04.46.png

Screenshot 2022-07-21 at 10.05.16.png

0 Karma

DanAlexander
Communicator

I did that yesterday, but no report laded into my email box. Do I need to configure something else?

Thank you

0 Karma

javiergn
Super Champion

You have to configure the email notification settings:

 

https://docs.splunk.com/Documentation/Splunk/9.0.0/Alert/Emailnotification

DanAlexander
Communicator

Thank you @javiergn 

0 Karma

DanAlexander
Communicator

How can I remove the duplicates efficiently as not all events contain the same fields and these events will be dropped? I need to remove the duplicates anyway.

0 Karma

javiergn
Super Champion

Hi, the first line is wrong, try using one of the following two:

index=mbda_windows_server sourcetype=XmlWinEventLog EventCode IN (4718, 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4762, 4796, 5136)

index=mbda_windows_server sourcetype=XmlWinEventLog (EventCode=4718 OR EventCode=4728 OR EventCode=4729 OR EventCode=4730 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757 OR EventCode=4762 OR EventCode=4796 OR EventCode=5136)

DanAlexander
Communicator

Thanks for the swift reply. Please let me know how to remove duplicates that do not have the same fields. I would like to avoid dropping events because of this? Thank you!

0 Karma

javiergn
Super Champion

If I understand correctly you want to remove duplicates based on a field with different names across certain events. If so simply create a field that is common across them with coalesce, as in:

| eval myfield = coalesce(fieldname1, fieldname2, fieldname3, ...)

 

Then use dedup based on myfield.

 

DanAlexander
Communicator

Thanks for the help, @javiergn 

Much appreciated!

0 Karma

javiergn
Super Champion

Sure no problem. Don't forget to mark the above as answered so that we can close the thread.

Regards,

Javier

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...