Solved: Creating report search issues

DanAlexander · ‎07-21-2022

Hi All,

I am trying to create an efficient way to pull out certain win events for my report but I am not sure it would return the results I want. It truncates some of the results. I might be doing something wrong. Please see the code that I am currently running and suggest an improvement. Thank you all!

index=mbda_windows_server sourcetype=XmlWinEventLog EventCode=4718 OR 4728 OR 4729 OR 4730 OR 4732 OR 4733 OR 4756 OR 4757 OR 4762 OR 4796 OR 5136

| dedup src_user, MemberSid, Group_Domain, Group_Name, host, _time

| convert timeformat="%d/%m/%Y %H:%M" ctime(_time)

| rename src_user AS Login, MemberSid AS Account, Group_Domain AS Domain, Group_Name AS Group, host AS Host, _time AS Min_NormDateMin, name AS EventName

| table Login, Account, Domain, Group, Host, Min_NormDateMin, EventCode, EventName | sort EventCode

javiergn · ‎07-21-2022

If I understand correctly you want to remove duplicates based on a field with different names across certain events. If so simply create a field that is common across them with coalesce, as in:

| eval myfield = coalesce(fieldname1, fieldname2, fieldname3, ...)

Then use dedup based on myfield.

View solution in original post

DanAlexander · ‎07-21-2022

Also, I wanted to know what would be the best way to automatically email the report results to me scheduled every day at 10 AM?

javiergn · ‎07-21-2022

Run the search, then click on "Save As" > Alert and chose your schedule and within "Trigger Actions" select "Send email".

DanAlexander · ‎07-21-2022

I did that yesterday, but no report laded into my email box. Do I need to configure something else?

Thank you

javiergn · ‎07-21-2022

You have to configure the email notification settings:

https://docs.splunk.com/Documentation/Splunk/9.0.0/Alert/Emailnotification

DanAlexander · ‎07-21-2022

Thank you @javiergn

DanAlexander · ‎07-21-2022

How can I remove the duplicates efficiently as not all events contain the same fields and these events will be dropped? I need to remove the duplicates anyway.

javiergn · ‎07-21-2022

Hi, the first line is wrong, try using one of the following two:

index=mbda_windows_server sourcetype=XmlWinEventLog EventCode IN (4718, 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4762, 4796, 5136)

index=mbda_windows_server sourcetype=XmlWinEventLog (EventCode=4718 OR EventCode=4728 OR EventCode=4729 OR EventCode=4730 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757 OR EventCode=4762 OR EventCode=4796 OR EventCode=5136)

DanAlexander · ‎07-21-2022

Thanks for the swift reply. Please let me know how to remove duplicates that do not have the same fields. I would like to avoid dropping events because of this? Thank you!

javiergn · ‎07-21-2022

If I understand correctly you want to remove duplicates based on a field with different names across certain events. If so simply create a field that is common across them with coalesce, as in:

| eval myfield = coalesce(fieldname1, fieldname2, fieldname3, ...)

Then use dedup based on myfield.

DanAlexander · ‎07-21-2022

Thanks for the help, @javiergn

Much appreciated!

javiergn · ‎07-21-2022

Sure no problem. Don't forget to mark the above as answered so that we can close the thread.

Regards,

Javier

Creating report search issues

other

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023