Solved: How do I edit my transaction search to make sure t...

moe44688 · ‎02-24-2016

Hi guys,

I am monitoring suspicious user activity using the transaction command. For example, if EventCodes X, Y, and Z (in this order) show up for the same user within 24 hours, an alert will be sent out. So I have most of my search complete. My problem is, I need to make sure that between X and Z the event Y is present.

.....| transaction user startswith=(EventCode=X) endswith=(EventCode=Z) | .....

I appreciate your help!
Thanks

lguinn2 · ‎02-24-2016

You could easily do it like this

 ..... 
| transaction user startswith=(EventCode=X) endswith=(EventCode=Z) 
| where EventCode=Y
....

Once the transaction is created, you can search for EventCode = Y and Splunk will retain only the events that have EventCode=Y somewhere within the transaction.

View solution in original post

lguinn2 · ‎02-24-2016

You could easily do it like this

 ..... 
| transaction user startswith=(EventCode=X) endswith=(EventCode=Z) 
| where EventCode=Y
....

Once the transaction is created, you can search for EventCode = Y and Splunk will retain only the events that have EventCode=Y somewhere within the transaction.

moe44688 · ‎02-26-2016

Thank you very much! This worked perfectly.

How do I edit my transaction search to make sure that a certain event is present between the start and end events?

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?

How do I edit my transaction search to make sure that a certain event is present between the start and end events?

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!