Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EventID - account name from 2 different events in one search

icewolf69
Loves-to-Learn Everything
‎07-03-2021 12:23 PM

Hi all, I'm a Splunk beginner and I'm having a hard time getting this particular search down.

My objective is to get the "Account_Name" field from 2 different event codes (4624 type 10 & 4778).  This issue is I can't figure out how to get both the 2nd instance of Account_Name for only the 4624, but the first instance of it in the 4778.  This is because windows uses the Account_Name field twice in a lot of logs, but not in some.  So I need the first Account_Name in 4778, and the second Account_Name in 4624.

Here is what I have so far.  Having trouble putting in that middle piece.

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) | eval Acct=mvindex(Account_Name,1)

***Also find "eventcode=4778" Account_Name****

| rename Acct as "Account Used on Remote Machine" 
| rename Client_Name as "Source Machine" 
| rename ComputerName as "Destination Machine" 
| timechart count by "Account Used on Remote Machine"

 

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-03-2021 02:32 PM 
index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10)

This has limited your pipeline of events to just event cod 4624. What you probably need to do in include 4778 events as well

index=main source="WinEventLog:Security" ("eventcode=4624" AND Logon_Type=10) OR "eventcode=4778"

You now probably need to merge them into a single event in the pipeline?

You can do this with something like this

| stats count by Account_name

However, this will just give you a count of events by Account_name whether that event was a 4624 or 4778

Given that you seem to be using timechart, do you want the count of events within particular time periods?

Start with the search returning both type of events and decide what you want to do with those.

0 Karma
Reply

icewolf69
Loves-to-Learn Everything
‎07-03-2021 03:20 PM

I can add 4778 easy enough, the issue is since they both use different "Account_Name" fields, I get garbage trying to filter either one:

4624:

Account_Name,0 = garbage

Account_Name,1=good, what I want to collect

4778:

Account_Name,0=good, what I want to collect

Account_Name,1=does not exist in log, garbage

 

If I try to collect both events "Account_Name,0", I  get half junk, half good events.  It's the same trying to collect "Account_Name,1" because since "Account_Name,1" doesn't exist in the 4778, it has no information to collect and the log is filtered.

 

I need someway to filter out the 4624 "Account_Name,0".... Or possibly ignore it and join "Account_Name,1" with "Account_Name" from 4778.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-03-2021 11:35 PM 
| eval Account_name=if(eventcode="4624",mvindex(Account_name,1),mvindex(Account_name,0))
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...