Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for exact sequence of events?

kelvinJE
Engager
‎09-10-2018 02:48 PM

Hi All

Wondering if anybody can assist. We're logging privilege user activity (GUI interactions etc) and looking to identify when a certain sequence occurs.

We have data such as the following:

Time    |   User   |   Action
10:00     Joe         Copied To Clipboard (Sensitive Data)
10:01     Ben         Copied To Clipboard (Normal Data)
10:01     Ben         Pasted From Clipboard
10:01     Joe         Copied To Clipboard (Normal Data)
10:02     Joe         Pasted From Clipboard
10:03     Joe         Copied To Clipboard (Sensitive Data)
10:04     Joe         Pasted From Clipboard
10:06     Joe         Copied To Clipboard (Normal Data)
10:07     Joe         Pasted From Clipboard

We're only interested in knowing when Sensitive data is copied, then pasted. So exact sequence of Joe's actions above at 10:03 and 10:04. If Sensitive data is copied, but then overwritten such as Joes actions 10:00, 10:01 and 10:02 then its ignored

I've toyed with Transactions for this, but I'm a newb and a bit out of my depth:

 index=privillege_user_actions
 | SORT time
 | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"

Could anybody recommend a query for doing this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2018 04:31 AM

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2018 04:31 AM

Your last query looks good, except for the sort. Events are returned in reverse time order automatically and transaction requires events be in that order so sorting won't help in this instance.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kelvinJE
Engager
‎09-10-2018 03:08 PM

A slight amendment, which I think is on the right tracks and returns some data, but I'm not sure it's correct:

index=privillege_user_actions
  | SORT time
  | transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard"
| where eventcount=2

But I'd be really grateful for any assistance on this.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎09-11-2018 05:51 AM

try this:

index=privillege_user_actions
transaction user startswith="Copied To Clipboard (Sensitive Data)" endswith="Pasted From Clipboard" maxevents=2
0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!