Splunk Search

How to display the 2nd through n-1 values of a field?

Builder

I have some Windows event log data that shows the ID when a user logs in and logs out. In addition, it shows me the audited actions taken by the user throughout their session. The generated table always starts with the login and always ends with the logout. Since I already know the login/logout messages, I don't want to see them in the audited actions.

How can I display the 2nd to n-1 values of the audited actions?

Current search

index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action

Current output

loginid    logoutid    user        audit_action
5073518    2519740     testcase    An account was successfully logged on
                                   A new process has been created
                                   A new handle to an object was requested
                                   A privileged service was called
                                   An account was logged off
                                   User initiated logoff

I would like to see everything above, except the first and last audit actions. How do I hide/remove them? There is no mvindex(audit_action, n-1)

SOLVED - Final Working Search

index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2) | table loginid, logoutid, user, audit_action
0 Karma
1 Solution

Revered Legend

The mvindex comes with two version, selecting single value from a multivalued field ( mvindex(mvfield,N) ) and selecting a range from a multivalued field ( mvindex(mvfield, startIndex, endIndex) ). The second is what you need to use here. (start index will be 1 as it's a 0 based index)

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2)

View solution in original post

Revered Legend

The mvindex comes with two version, selecting single value from a multivalued field ( mvindex(mvfield,N) ) and selecting a range from a multivalued field ( mvindex(mvfield, startIndex, endIndex) ). The second is what you need to use here. (start index will be 1 as it's a 0 based index)

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2)

View solution in original post

Builder

I am in your debt again! Counting and passing the count-2 makes complete sense! The only change I did was move the eval statements before the table. Not sure if it was necessary but just to keep it clean/consistent. Thank you!

0 Karma

Legend

See if this works

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | mvexpand audit_action | streamstats count by loginid logoutid user | eventstats max(count) as max by loginid logoutid user | where count>1 AND count<max | stats values(audit_action) as audit_action by loginid logoutid user
0 Karma

Builder

Currently giving zero results. The loginid and logoutid can be ignored because there are multiple ID's in-between the login and logout (which is why I use the transaction). If I cut your query and end it before the | where count... then I can see that its creating a table of

loginid  logoutid  user    audit_action  count
 5073518    2519740     testcase    An account was successfully logged on     271
                                    A new process has been created           302

but it's counting the actions across my entire search (1h) and not across the transaction groups which are much smaller.

Can I count the number of audit actions in each transaction group, and then display it as count>1 and count

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!