Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the 2nd through n-1 values of a field?

DEAD_BEEF
Builder
‎10-14-2016 10:34 AM

I have some Windows event log data that shows the ID when a user logs in and logs out. In addition, it shows me the audited actions taken by the user throughout their session. The generated table always starts with the login and always ends with the logout. Since I already know the login/logout messages, I don't want to see them in the audited actions.

How can I display the 2nd to n-1 values of the audited actions?

Current search

index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action

Current output

loginid    logoutid    user        audit_action
5073518    2519740     testcase    An account was successfully logged on
                                   A new process has been created
                                   A new handle to an object was requested
                                   A privileged service was called
                                   An account was logged off
                                   User initiated logoff

I would like to see everything above, except the first and last audit actions. How do I hide/remove them? There is no mvindex(audit_action, n-1)

SOLVED - Final Working Search

index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2) | table loginid, logoutid, user, audit_action
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2016 11:23 AM

The mvindex comes with two version, selecting single value from a multivalued field ( mvindex(mvfield,N) ) and selecting a range from a multivalued field ( mvindex(mvfield, startIndex, endIndex) ). The second is what you need to use here. (start index will be 1 as it's a 0 based index)

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2016 11:23 AM

The mvindex comes with two version, selecting single value from a multivalued field ( mvindex(mvfield,N) ) and selecting a range from a multivalued field ( mvindex(mvfield, startIndex, endIndex) ). The second is what you need to use here. (start index will be 1 as it's a 0 based index)

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2)
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎10-14-2016 11:32 AM

I am in your debt again! Counting and passing the count-2 makes complete sense! The only change I did was move the eval statements before the table. Not sure if it was necessary but just to keep it clean/consistent. Thank you!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-14-2016 10:54 AM

See if this works

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | mvexpand audit_action | streamstats count by loginid logoutid user | eventstats max(count) as max by loginid logoutid user | where count>1 AND count<max | stats values(audit_action) as audit_action by loginid logoutid user
0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎10-14-2016 11:23 AM

Currently giving zero results. The loginid and logoutid can be ignored because there are multiple ID's in-between the login and logout (which is why I use the transaction). If I cut your query and end it before the | where count... then I can see that its creating a table of

loginid  logoutid  user    audit_action  count
 5073518    2519740     testcase    An account was successfully logged on     271
                                    A new process has been created           302

but it's counting the actions across my entire search (1h) and not across the transaction groups which are much smaller.

Can I count the number of audit actions in each transaction group, and then display it as count>1 and count

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...