Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the 2nd through n-1 values of a field?

DEAD_BEEF
Builder
‎10-14-2016 10:34 AM

I have some Windows event log data that shows the ID when a user logs in and logs out. In addition, it shows me the audited actions taken by the user throughout their session. The generated table always starts with the login and always ends with the logout. Since I already know the login/logout messages, I don't want to see them in the audited actions.

How can I display the 2nd to n-1 values of the audited actions?

Current search

index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action

Current output

loginid    logoutid    user        audit_action
5073518    2519740     testcase    An account was successfully logged on
                                   A new process has been created
                                   A new handle to an object was requested
                                   A privileged service was called
                                   An account was logged off
                                   User initiated logoff

I would like to see everything above, except the first and last audit actions. How do I hide/remove them? There is no mvindex(audit_action, n-1)

SOLVED - Final Working Search

index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2) | table loginid, logoutid, user, audit_action
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2016 11:23 AM

The mvindex comes with two version, selecting single value from a multivalued field ( mvindex(mvfield,N) ) and selecting a range from a multivalued field ( mvindex(mvfield, startIndex, endIndex) ). The second is what you need to use here. (start index will be 1 as it's a 0 based index)

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2016 11:23 AM

The mvindex comes with two version, selecting single value from a multivalued field ( mvindex(mvfield,N) ) and selecting a range from a multivalued field ( mvindex(mvfield, startIndex, endIndex) ). The second is what you need to use here. (start index will be 1 as it's a 0 based index)

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | eval audit_action=mvindex(audit_actions,1,mvcount(audit_action)-2)
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎10-14-2016 11:32 AM

I am in your debt again! Counting and passing the count-2 makes complete sense! The only change I did was move the eval statements before the table. Not sure if it was necessary but just to keep it clean/consistent. Thank you!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-14-2016 10:54 AM

See if this works

 index=win user=testcase | transaction user startswith="EventCode=4624" endswith="EventCode=4647" mvlist=t | eval loginid=mvindex(id,0) | eval logoutid=mvindex(id,-1) | eval user=mvdedup(user) | table loginid, logoutid, user, audit_action | mvexpand audit_action | streamstats count by loginid logoutid user | eventstats max(count) as max by loginid logoutid user | where count>1 AND count<max | stats values(audit_action) as audit_action by loginid logoutid user
0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎10-14-2016 11:23 AM

Currently giving zero results. The loginid and logoutid can be ignored because there are multiple ID's in-between the login and logout (which is why I use the transaction). If I cut your query and end it before the | where count... then I can see that its creating a table of

loginid  logoutid  user    audit_action  count
 5073518    2519740     testcase    An account was successfully logged on     271
                                    A new process has been created           302

but it's counting the actions across my entire search (1h) and not across the transaction groups which are much smaller.

Can I count the number of audit actions in each transaction group, and then display it as count>1 and count

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...