Splunk Search

Help with search with the next x amount of commands

FoxMike
Engager

Hi all,

Is there a possibility that when you've made a query with the hits you want, that also the next x amounts of events are being listed?

For example:

index=*_*_windows EventCode=4688 source=XmlWinEventLog:Security *[redacted]* host=[redacted] *schtasks.exe | table _time, TargetUserName, host, CommandLine, status

this will show exactly what I need to see, but I also want to know the next 10 events that occurred after the results of this query. 

I hope this makes sense, if not clear don't hesitate to message me for clarification.

Many thanks in advance!

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your search is filtering events by EventCode and a bunch of other stuff, this restricts the events available. If you want other events which aren't filtered, you need to remove part or all of the filter.

If we assume you want other EventCode and the rest of the filter remains, you could try something like this

index=*_*_windows source=XmlWinEventLog:Security *[redacted]* host=[redacted] *schtasks.exe 
 | sort 0 _time
| streamstats count(eval(EventCode=4688)) as KeyEvents
| fields _time TargetUserName, host, CommandLine, status KeyEvents
| where KeyEvents > 0
| streamstats count as sequence by KeyEvents
| where sequence < 11
| table _time, TargetUserName, host, CommandLine, status

FoxMike
Engager

Hi,

Many thanks. It didn't solve completely but it is a good template to further specify my query.

Thanks for the help!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...