Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EventCode Subsearch

jeradb
Explorer
‎02-22-2024 08:27 AM

I have an application that I am trying to monitor.  There is a specific event code for when the tool is opened to modify the tool (EventCode=250).  There is an EventCode for when it is closed (EventCode=100).  These two codes display a user name, but the events between them do not.  How can I write a search to look for these two events then display the changes between them with the username who completed the change?  

| from datamodel:P3 | search EventCode=250 OR 100 OR 70 OR 80
| eval user = coalesce(User, Active_User)
| eval Event_Time=strftime(_time,"%m/%d/%y %I:%M:%S %P")

| table Event_Time, host,user,Device_Added,Device_SN,Device_ID,EventCode, EventDescription

Event_Time                        host              user      Device_Added      Device_SN       Device_ID      EventCode 
02/22/24 08:49:44 am Test-Com   xxxxx                                                                                                 100
02/21/24 03:59:12 pm Test-Com   xxxxx                                                                                                  250
02/21/24 03:56:08 pm Test-Com   xxxxx                                                                                                  100
02/21/24 03:56:00 pm Test-Com                            USB 1                   12345          PID_1                   70 
02/21/24 03:56:00 pm Test-Com                            USB 2                    6789            PID_2                   70 
02/21/24 03:51:10 pm Test-Com                            USB 1                   12345          PID_1                   80  
02/21/24 03:50:44 pm Test-Com     xxxxx                                                                                                  250

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-22-2024 09:26 AM

If the illustrated fields are all you have, the only link between 250 -> 100 (with user) and the rest of events (without) is host.  I highly doubt if this can be sufficient to determine what a user have done between 250 and 100, unless this tool is strictly single-user and no other things can generate any of these events.

If the tool is single-user only, you can use transaction to group these events together, like

| transaction host startswith="EventCode=250" endswith="EventCode=100"

Once transactions are established, you can then glean completed transactions for event codes that are not 250 and 100.  For example,

| transaction host startswith="EventCode=250" endswith="EventCode=100"​
| stats values(EventCode) as EventCode values(user) as user by host
| eval EventCode = mvfilter(NOT EventCode IN ("250", "100"))

Hope this helps.

Tags (1)
0 Karma
Reply

jeradb
Explorer
‎02-22-2024 12:41 PM

@yuanliu  Is there a way to say if EventCode=70 look upstream for EventCode=250 and join User?  I am only trying to capture who created the event.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-22-2024 01:28 PM

This is very much a question of efficiency.  If you have a relatively small number of event 70 in a short period of time, but event 250 was some long time ago, using subsearch would be more efficient than retrieving both types of events for a long period of time.

You also need to tell us which EventCode's give you User, which give you Active_User.  Assuming that EventCode 250 gives you Active_User but 70 gives you User, you can do something like

| from datamodel:P3
| search EventCode=250 earliest=-1mon ``` earliest value for demonstration purpose only ```
    [from datamodel:P3
    | search EventCode=70 earliest=-1h ``` earliest value for demonstration purpose only ```
    | stats values(User) as Active_User ``` assuming User is present in EventCode 70 to matche Active_User in EventCode 250 ]

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...