Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Searching Events with different OS platform table fields

SplunkNewbie132
New Member
‎09-04-2022 07:54 AM

Hello, I have recently starting learning about Splunk and been stuck while attempting to make the search display for me events that comes from both my Linux and Windows machine at once. For example, for Windows, I have created this query that counts and display the times

EventID 4625 has fail password from ssh per minute sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" Account_Name=client1 failed password* | bucket span=1m _time | stats count by _time, host, source, Caller_Process_Name, Account_Name, EventCode Failure_Reason | table _time, host, source, EventCode, count, Caller_Process_Name, Account_Name, EventCode, Failure_Reason

And I have this query for a Linux that does the same:

index=* sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" OR user=* failed password* | bucket span=1m _time | stats count by _time, host, process, source, | table _time, host, source, process, count

The issue is, whenever I am trying to make it display both Linux and Windows events at once, by providing it the fields together such as:

process(Linux Related) Event Code(Windows Related) Account_Name(Windows Related) user(Linux Related) With this query: sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" failed password* | bucket span=1m _time | stats count by _time, host, source, EventCode | table _time, host, source, EventCode

Then it will only display me the Windows logs, and this is just because the EventCode was added. If I will for example remove the 

"EventCode" and past it as: sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" failed password* | bucket span=1m _time | stats count by _time, host, source, | table _time, host, source

 

Then both will appear in the screen, but without the filters I want. I am confused, anyone can help me please? Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2022 11:59 PM

Hi @SplunkNewbie132,

you can use the solution from @yuanliu or use a more structured solution.

You should create an eventtype for each data source,

e.g. for Windows

EventID 4625 has fail password from ssh per minute sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" Account_Name=client1 failed password*

and for Linux;

index=* sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" OR user=* failed password*

then you can run a simpler search like this:

eventtype=windows OR eventtype=linux
| bucket span=1m _time 
| stats values(EventCode) AS EventCode by _time host source

Obviously there are fields (as EventCode9 that are present in only one OS so they will be empty in the linux rows.

If you have fields with the same content but different name (e.g. process and Caller_Process_Name) you can use a rename or an alias:

eventtype=windows OR eventtype=linux
| bucket span=1m _time 
| stats values(EventCode) AS EventCode by _time host source
| eval Caller_Process_Name=coalesce(process,Caller_Process_Name)

Ciao.

Giuseppe

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-04-2022 08:52 AM

(First, it wold be much easier for others to understand if you could layout sample codes distinctly from descriptive texts.)

Then it will only display me the Windows logs, and this is just because the EventCode was added.

 

That is because "group by" will only operate on non-null values.  EventCode doesn't exist in Linux logs, therefore Linux events are not included.

How to display events from both depends on the exact kind of output you require.  Here is one possible method:

((sourcetype="wineventlog:security" host="CLIENT1-DESKTOP" Account_Name=client1) OR (source="/var/log/auth.log" host="client3-kali")) failed password*
| bucket span=1m _time
| eval ProcessName = if(sourcetype=="wineventlog:security", Caller_Process_Name, process)
| stats count values(Account_Name) as Account_Name values(EventCode) as EventCode values(Failure_Reason) as Failure_Reason by _time, host, ProcessName, source
| table _time, host, source, EventCode, count, ProcessName, Account_Name, EventCode, Failure_Reason
0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...