Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with Searching Events with different OS platform table fields

SplunkNewbie132
New Member
‎09-04-2022 07:54 AM

Hello, I have recently starting learning about Splunk and been stuck while attempting to make the search display for me events that comes from both my Linux and Windows machine at once. For example, for Windows, I have created this query that counts and display the times

EventID 4625 has fail password from ssh per minute sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" Account_Name=client1 failed password* | bucket span=1m _time | stats count by _time, host, source, Caller_Process_Name, Account_Name, EventCode Failure_Reason | table _time, host, source, EventCode, count, Caller_Process_Name, Account_Name, EventCode, Failure_Reason

And I have this query for a Linux that does the same:

index=* sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" OR user=* failed password* | bucket span=1m _time | stats count by _time, host, process, source, | table _time, host, source, process, count

The issue is, whenever I am trying to make it display both Linux and Windows events at once, by providing it the fields together such as:

process(Linux Related) Event Code(Windows Related) Account_Name(Windows Related) user(Linux Related) With this query: sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" failed password* | bucket span=1m _time | stats count by _time, host, source, EventCode | table _time, host, source, EventCode

Then it will only display me the Windows logs, and this is just because the EventCode was added. If I will for example remove the 

"EventCode" and past it as: sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" failed password* | bucket span=1m _time | stats count by _time, host, source, | table _time, host, source

 

Then both will appear in the screen, but without the filters I want. I am confused, anyone can help me please? Thanks!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2022 11:59 PM

Hi @SplunkNewbie132,

you can use the solution from @yuanliu or use a more structured solution.

You should create an eventtype for each data source,

e.g. for Windows

EventID 4625 has fail password from ssh per minute sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" Account_Name=client1 failed password*

and for Linux;

index=* sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" OR user=* failed password*

then you can run a simpler search like this:

eventtype=windows OR eventtype=linux
| bucket span=1m _time 
| stats values(EventCode) AS EventCode by _time host source

Obviously there are fields (as EventCode9 that are present in only one OS so they will be empty in the linux rows.

If you have fields with the same content but different name (e.g. process and Caller_Process_Name) you can use a rename or an alias:

eventtype=windows OR eventtype=linux
| bucket span=1m _time 
| stats values(EventCode) AS EventCode by _time host source
| eval Caller_Process_Name=coalesce(process,Caller_Process_Name)

Ciao.

Giuseppe

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-04-2022 08:52 AM

(First, it wold be much easier for others to understand if you could layout sample codes distinctly from descriptive texts.)

Then it will only display me the Windows logs, and this is just because the EventCode was added.

 

That is because "group by" will only operate on non-null values.  EventCode doesn't exist in Linux logs, therefore Linux events are not included.

How to display events from both depends on the exact kind of output you require.  Here is one possible method:

((sourcetype="wineventlog:security" host="CLIENT1-DESKTOP" Account_Name=client1) OR (source="/var/log/auth.log" host="client3-kali")) failed password*
| bucket span=1m _time
| eval ProcessName = if(sourcetype=="wineventlog:security", Caller_Process_Name, process)
| stats count values(Account_Name) as Account_Name values(EventCode) as EventCode values(Failure_Reason) as Failure_Reason by _time, host, ProcessName, source
| table _time, host, source, EventCode, count, ProcessName, Account_Name, EventCode, Failure_Reason
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...