Splunk Search

How to generate a search to display results only for a COMBINATION of events?

kalik
Explorer

Hi guys,

I'm trying to do a search that would return results only for a combination of 2 events. I'm specifically looking for successful logins EventCode=4624 and only show results if for the host has had both interactive Logon_Type=2 and remote Logon_Type=10 logins. I tried my luck with transaction and dedup but to no luck. Any suggestions?

Example:

Host 1 Login, Remote
Host 2 Login, Remote
Host 2 Login, Remote
Host 1 Login, Interactive
Host 3 Login, Interactive
Host 4 Login, Remote
Host 4 Login, Interactive

This would ideally just return info on Host 1 and Host 4 because they have both interactive and remote logons, while Host 2 has only remote and Host 3 has only interactive.

Ideally the result would be just a table of hosts and possibly timestamps of the logins.

0 Karma
1 Solution

somesoni2
Revered Legend

How about this

index=foo sourcetype=bar EventCode=4624 Logon_Type=2 OR Logon_Type=10  | stats values(Logon_Type) as Logon_Types by host | where mvcount(Logon_Types)=2

View solution in original post

somesoni2
Revered Legend

How about this

index=foo sourcetype=bar EventCode=4624 Logon_Type=2 OR Logon_Type=10  | stats values(Logon_Type) as Logon_Types by host | where mvcount(Logon_Types)=2

kalik
Explorer

Thanks a lot somesoni2, that worked exactly like I wanted it to do, and such a simple and elegant solution too! Thanks again!

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi kalik,

I think you can use the mvcombine command to combine different login values pertaining to the same host into a single multivalue field. Assuming login is your field name, you can use the following example:

... | mvcombine delim=";" login 

After that, you can easily search for the multivalue login field for your login type and return the hostnames properly.

Hope this helps. Thanks!
Hunter

0 Karma

kalik
Explorer

Thanks Hunter, that didn't exactly worked the way I wanted it to, but thank you for the suggestion!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...