Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display only events that fulfill all IN conditions

DanielAmlung
Path Finder
‎07-18-2024 03:15 AM

Hi Team,

i have a search that query's for 4 IN conditions and then list them. The search works fine but i need help with one request. I only want to display the events that fulfill all 4 conditions within the IN statement:

Search:

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$
| stats count by src_user,src_ip,RelativeTargetName,host_fqdn
| stats list(RelativeTargetName) by src_ip, src_user,host_fqdn

Table:

splunk_question.png

So in only want to see the events that match all 4 RelativeTargetNames not the one that matches only one.

 

Any help would be appreciated 🙂

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 04:01 AM 
| stats list(RelativeTargetName) as RelativeTargetName by src_ip, src_user,host_fqdn
| where mvcount(RelativeTargetName) = 4

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 04:01 AM 
| stats list(RelativeTargetName) as RelativeTargetName by src_ip, src_user,host_fqdn
| where mvcount(RelativeTargetName) = 4
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-18-2024 04:08 AM

As an additional hint, you could add your all four search term literally to limit the initial search results for a bit of a performance boost.

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$ samr lsarpc srvsvc winreg
| stats count by src_user,src_ip,RelativeTargetName,host_fqdn
| stats list(RelativeTargetName) by src_ip, src_user,host_fqdn

But whether this is significantly beneficial you'd have to see the job inspect page.

Another way to limit your results (as opposed to @ITWhisperer 's solution which works on the summarized data) would be to add all four values explicitly as field values, not with the IN clause.

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName=samr, RelativeTargetName=lsarpc RelativeTargetName=srvsvc RelativeTargetName=winreg src_user!=*$

Reply
Solved! Jump to solution

DanielAmlung
Path Finder
‎07-18-2024 04:15 AM

Thanks for pointing me in the right direction. I slightly modified the search and it now works:

 

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$
| stats count by src_user,src_ip,RelativeTargetName,host_fqdn
| stats list(RelativeTargetName) as all by src_ip, src_user,host_fqdn
| where mvcount(all) = 4

0 Karma
Reply
Solved! Jump to solution

sintjm
Path Finder
‎07-18-2024 03:47 AM

hi

have you tried mvexpand list(RelativeTargetName)

0 Karma
Reply
Solved! Jump to solution

DanielAmlung
Path Finder
‎07-18-2024 03:57 AM

Hi, thanks for the answer, but i don't want to expand the multi value field. So this is not what iam looking for

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...