Splunk Search

How do I search for exact sequence of events?

kelvinJE
Engager

Hi All

Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.

We have data such as the following:

Time    |   User   |   Action
10:00     Joe         Copied To Clipboard (Sensitive Data)
10:01     Ben         Copied To Clipboard (Normal Data)
10:01     Ben         Pasted From Clipboard
10:01     Joe         Copied To Clipboard (Normal Data)
10:02     Joe         Pasted From Clipboard
10:03     Joe         Copied To Clipboard (Sensitive Data)
10:04     Joe         Pasted From Clipboard
10:06     Joe         Copied To Clipboard (Normal Data)
10:07     Joe         Pasted From Clipboard

We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored

I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:

 index=privillege_user_actions
 | SORT time
 | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"

Could anybody recommend a query for doing this?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kelvinJE
Engager

A slight amendment, which I think is on the right tracks and returns some data, but I'm not sure it's correct:

index=privillege_user_actions
  | SORT time
  | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"
| where eventcount=2

But I'd be really grateful for any assistance on this.

0 Karma

adonio
Ultra Champion

try this:

index=privillege_user_actions
transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" maxevents=2
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...