Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I search for two different events that happen over 10 minutes on the same username?

shlomihertzberg
Engager
‎06-19-2020 03:20 AM

Hi

 need your support Splunkers

I Want to search user created and deleted in 10 minutes.

so i am starting the search like this:

index=windows_auth EventID=4720 AND EventID=4726

Then I just got stuck, no matter what I tried.

I need a data when these 2 events occur during 10 minutes on the same username.

Thanks for your help !

Labels (1)
Labels
0 Karma
Reply

rnowitzki
Builder
‎06-19-2020 04:02 AM

Hi @shlomihertzberg ,

This works, but I guess there are smarter ways:

 

index=windows_auth EventID=4720 OR EventID=4726
| dedup EventID, User
| stats count by User
| where count>1
| fields - count

 

 

The dedup is just for the (I guess) rare case where a User is being created and/or deleted more than just 1 time within 10 minutes. 

Now you just have to put your search to a 10 minute timeframe.

Edit 22/6: Needs to be "OR" in the first line instead of "AND" of course 🤐 (thx @isoutamo)

--
Karma and/or Solution tagging appreciated.
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-22-2020 04:02 AM
You still need to use @Richfez example with transaction to get the correct answer.
0 Karma
Reply

shlomihertzberg
Engager
‎06-20-2020 04:32 AM

HI @rnowitzki 

Thank you very much for your goodwill.
Unfortunately it does not give any results.
But I will keep trying.
Thank you!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2020 02:21 PM

Hi

try to change AND to OR in this as otherwise it find only events which has both values in the same event which is impossible. With OR it found both separate events and if those exists within 10 min then it “alerts”. 
r. Ismo

Reply

Richfez
SplunkTrust
SplunkTrust
‎06-19-2020 06:12 AM

Since you are filtering data down so well, this could be a case for the "transaction" command.

index=windows_auth EventID=4720 AND EventID=4726
| transaction maxspan=10m maxpause=10m startswith=EventID=4720 endswith=EventID=4726 username

I don't know for sure they are in the right order (startswith vs. endswith), and you'll need to adjust field "username" to what you need to hook 'em up on.

But what pops out the other end should be your list.

There's other options to the transaction command, too.  See the docs!

Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...