Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the same search results as transaction, but with other commands like stats?

sadkha
Path Finder
‎08-26-2014 02:20 PM

Hi All,

I am using a transaction command to group log data by Account Name. I'm particularly interested in any account names that occur for 2 separate events at the same time. I've been able to get this through a transaction command, however the processing time is just way too long. My search is:

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | transaction Account_name startswith=eval(EventCode="4740") endswith=eval(EventCode="4771") maxspan=1m

Would like to see a table showing Account_Name, ComputerName, CallerName,ClientAddress. The first three are available through EventCode=4740, however it does not give me ClientAddress. The 4771 event (occurred at the same time, for same user) will have ClientAddress.

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | transaction Account_name startswith=eval(EventCode="4740") endswith=eval(EventCode="4771") maxspan=1m | table DATE/TIME user Account_Domain ComputerName Caller_Computer_Name Client_Address

The above satisfies what I need but are there alternatives?

0 Karma
Reply

Runals
Motivator
‎08-27-2014 05:10 AM

I'm not logged in but the query I'm building in my head after skimming your post (sorry) looks something like this:

get events | use coalesce() to align fields with different names depending on events if needed | stats dc(date_minute) as same_min values() values() values() by Account_Name | sort -same_min

I say that because in building a single query for a CMDB table generation that aligned fields from 11 sourcetypes across Windows and Linux events I used a combination of coalesce and then stats values() to pull it off. If you use stats w/o values you can end up with multiple lines for one Account_Name. Have used that approach for some Windows queries as well.

0 Karma
Reply

sadkha
Path Finder
‎08-27-2014 06:50 AM

Thanks for the tip! any idea on how I can separate the events by both Account_Name and Time? Right now its aggregating everything for a particular account_name, but I was hoping to see if I could separate them by time, so to only show the 4771 and 4740 events that happened at the same time?

0 Karma
Reply

somesoni2
Revered Legend
‎08-26-2014 06:21 PM

Give this a try and see if it works and works better...

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | streamstats current=f window=1 first(EventCode) as prevEventCode | where prevEventCode!=EventCode | eval sno=1 |accum sno| eval so=ceil(sno/2) | stats min(_time) as start max(_time) as end first(user) as user first(Account_Domain) as Account_Domain first(ComputerName) as ComputerName first(Caller_Computer_Name) as Caller_Computer_Name first(Client_Address) as Client_Address | eval duration=abs(end-start) | where duration<60
0 Karma
Reply

sadkha
Path Finder
‎08-27-2014 05:15 AM

unfortunately the two logs aren't aggregated when i tried this, and nothing came up on the stats tab.

when i used ...| stats values(ComputerName) values(EventCode) values(Client_Address) by "Account_Name" , this grouped the events the way I wanted to, however I was wondering if I could:
a) Get rid of the rows that only had a "4771" event
b) seperate the events by time, so to only show 4771 and 4740 events that occured at the same time by Account_Name

i think streamstats will accomplish this but not sure how to tweak your suggestion to fit this. thanks so much for your help!

0 Karma
Reply

sadkha
Path Finder
‎08-26-2014 03:55 PM

By using that query with the transaction, i get what I need, but was wondering if there were alternative ways to do this?

0 Karma
Reply

sadkha
Path Finder
‎08-26-2014 03:54 PM

Would like to see a table showing Account_Name, ComputerName, CallerName,ClientAddress. The first three are available through EventCode=4740, however it does not give me ClientAddress. The 4771 event (occurred at the same time, for same user) will have ClientAddress.

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | transaction Account_name startswith=eval(EventCode="4740") endswith=eval(EventCode="4771") maxspan=1m | table DATE/TIME user Account_Domain ComputerName Caller_Computer_Name Client_Address

0 Karma
Reply

emiller42
Motivator
‎08-26-2014 03:46 PM

We won't know if what you want is possible unless you tell us what you want. Can you elaborate on what the intended output is?

0 Karma
Reply

sadkha
Path Finder
‎08-26-2014 03:21 PM

I am interested in the logs for EventCode=4740, and would like to find the correlating 4771 event which occurred at the same time for a particular user. By using the transaction command with the maxspan=1m, it pulls in the logs for both events which happened at the same time for a particular user, and then i can pick and choose which fields I want to show in a table, for every User Account.

0 Karma
Reply

somesoni2
Revered Legend
‎08-26-2014 02:29 PM

What aggregation you need to perform? It seems possible to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...