Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I search for two different events that happen over 10 minutes on the same username?

shlomihertzberg
Engager
‎06-19-2020 03:20 AM

Hi

 need your support Splunkers

I Want to search user created and deleted in 10 minutes.

so i am starting the search like this:

index=windows_auth EventID=4720 AND EventID=4726

Then I just got stuck, no matter what I tried.

I need a data when these 2 events occur during 10 minutes on the same username.

Thanks for your help !

Labels (1)
Labels
0 Karma
Reply

rnowitzki
Builder
‎06-19-2020 04:02 AM

Hi @shlomihertzberg ,

This works, but I guess there are smarter ways:

 

index=windows_auth EventID=4720 OR EventID=4726
| dedup EventID, User
| stats count by User
| where count>1
| fields - count

 

 

The dedup is just for the (I guess) rare case where a User is being created and/or deleted more than just 1 time within 10 minutes. 

Now you just have to put your search to a 10 minute timeframe.

Edit 22/6: Needs to be "OR" in the first line instead of "AND" of course 🤐 (thx @isoutamo)

--
Karma and/or Solution tagging appreciated.
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-22-2020 04:02 AM
You still need to use @Richfez example with transaction to get the correct answer.
0 Karma
Reply

shlomihertzberg
Engager
‎06-20-2020 04:32 AM

HI @rnowitzki 

Thank you very much for your goodwill.
Unfortunately it does not give any results.
But I will keep trying.
Thank you!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2020 02:21 PM

Hi

try to change AND to OR in this as otherwise it find only events which has both values in the same event which is impossible. With OR it found both separate events and if those exists within 10 min then it “alerts”. 
r. Ismo

Reply

Richfez
SplunkTrust
SplunkTrust
‎06-19-2020 06:12 AM

Since you are filtering data down so well, this could be a case for the "transaction" command.

index=windows_auth EventID=4720 AND EventID=4726
| transaction maxspan=10m maxpause=10m startswith=EventID=4720 endswith=EventID=4726 username

I don't know for sure they are in the right order (startswith vs. endswith), and you'll need to adjust field "username" to what you need to hook 'em up on.

But what pops out the other end should be your list.

There's other options to the transaction command, too.  See the docs!

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...