Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display only events that fulfill all IN conditions

DanielAmlung
Path Finder
‎07-18-2024 03:15 AM

Hi Team,

i have a search that query's for 4 IN conditions and then list them. The search works fine but i need help with one request. I only want to display the events that fulfill all 4 conditions within the IN statement:

Search:

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$
| stats count by src_user,src_ip,RelativeTargetName,host_fqdn
| stats list(RelativeTargetName) by src_ip, src_user,host_fqdn

Table:

splunk_question.png

So in only want to see the events that match all 4 RelativeTargetNames not the one that matches only one.

 

Any help would be appreciated 🙂

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 04:01 AM 
| stats list(RelativeTargetName) as RelativeTargetName by src_ip, src_user,host_fqdn
| where mvcount(RelativeTargetName) = 4

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2024 04:01 AM 
| stats list(RelativeTargetName) as RelativeTargetName by src_ip, src_user,host_fqdn
| where mvcount(RelativeTargetName) = 4
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-18-2024 04:08 AM

As an additional hint, you could add your all four search term literally to limit the initial search results for a bit of a performance boost.

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$ samr lsarpc srvsvc winreg
| stats count by src_user,src_ip,RelativeTargetName,host_fqdn
| stats list(RelativeTargetName) by src_ip, src_user,host_fqdn

But whether this is significantly beneficial you'd have to see the job inspect page.

Another way to limit your results (as opposed to @ITWhisperer 's solution which works on the summarized data) would be to add all four values explicitly as field values, not with the IN clause.

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName=samr, RelativeTargetName=lsarpc RelativeTargetName=srvsvc RelativeTargetName=winreg src_user!=*$

Reply
Solved! Jump to solution

DanielAmlung
Path Finder
‎07-18-2024 04:15 AM

Thanks for pointing me in the right direction. I slightly modified the search and it now works:

 

index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$
| stats count by src_user,src_ip,RelativeTargetName,host_fqdn
| stats list(RelativeTargetName) as all by src_ip, src_user,host_fqdn
| where mvcount(all) = 4

0 Karma
Reply
Solved! Jump to solution

sintjm
Path Finder
‎07-18-2024 03:47 AM

hi

have you tried mvexpand list(RelativeTargetName)

0 Karma
Reply
Solved! Jump to solution

DanielAmlung
Path Finder
‎07-18-2024 03:57 AM

Hi, thanks for the answer, but i don't want to expand the multi value field. So this is not what iam looking for

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...