Splunk Search

How to only keep the rows related with process

New Member

Hello, in the below data I have a lot of processes and the ParentProcesses of them.
I would like to keep only the rows related with process "Process4" meaning the first 3 rows.

| makeresults 
  | eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10"
  | makemv mydata 
  | mvexpand mydata 
  | makemv delim="," mydata 
  | eval ParentProcess=mvindex(mydata,0) 
  | eval Process=mvindex(mydata,1)
  | table ParentProcess Process

Many thanks in advance.

Tags (3)
0 Karma

Ultra Champion
| makeresults
| eval _raw="User,host,parent_process_id,parent_process,process_id,process,count
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10136,whoami,1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10540,\"AdobeExpiryCheck.exe\",1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",6764,hostname,1
NT AUTHORITY\SYSTEM,Laptop,8100,C:\WINDOWS\PSEXESVC.EXE,11808,\"cmd\",1
NT AUTHORITY\SYSTEM,Laptop,816,C:\WINDOWS\system32\services.exe,8100,C:\WINDOWS\PSEXESVC.EXE,1"
| multikv forceheader=1
| table User,host,parent_process_id,parent_process,process_id,process,count
| sort parent_process_id
| eval parent=parent_process_id."_".parent_process, child=process_id."_".process
| eval processes=mvappend(parent,child)
| stats list(processes) as processes
| nomv processes

there is many child process, I dare keep this.

0 Karma

New Member

The approach is very good. However, from all these processes I am interested only in the ones that end with the whoami. So I would like to find a way to end up with as below:

C:\WINDOWS\system32\services.exe - >C:\WINDOWS\PSEXESVC.EXE ->\"cmd\" -> whoami excluding the rest.

0 Karma

Ultra Champion
| makeresults 
| eval _raw="User,host,parent_process_id,parent_process,process_id,process,count
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10136,whoami,1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10540,\"AdobeExpiryCheck.exe\",1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",6764,hostname,1
NT AUTHORITY\SYSTEM,Laptop,8100,C:\WINDOWS\PSEXESVC.EXE,11808,\"cmd\",1
NT AUTHORITY\SYSTEM,Laptop,816,C:\WINDOWS\system32\services.exe,8100,C:\WINDOWS\PSEXESVC.EXE,1" 
| multikv forceheader=1 
| table User,host,parent_process_id,parent_process,process_id,process,count 
| sort parent_process_id 
| eval processes=mvappend(parent_process,process) 
| dedup parent_process
| stats list(processes) as processes 
| eval processes=mvdedup(processes)
| eval processes=mvjoin(processes," -> ")
0 Karma

Ultra Champion
| makeresults 
| eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10" 
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval ParentProcess=mvindex(mydata,0) 
| eval Process=mvindex(mydata,1) 
| table ParentProcess Process
`comment("this is your sample")`
| sort - ParentProcess Process
| streamstats count(eval(match(ParentProcess,"Process4") OR match(Process,"Process4"))) as session
| where session > 0
| fields - session

It works because the field name is this.
It will not be useful if it is an actual log.


Hi, how about this?

| makeresults 
| eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10"
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval ParentProcess=mvindex(mydata,0) 
| eval Process=mvindex(mydata,1)
| table ParentProcess Process
| where match(ParentProcess, "Process4") OR match(Process, "Process4") 
| head 3
0 Karma

New Member

Basically I need to find a way when I receive such logs to be able to track the full chain of the process.

User host parent_process_id parent_process process_id process count
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 10136 whoami 1
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 10540 "AdobeExpiryCheck.exe" 1
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 6764 hostname 1
NT AUTHORITY\SYSTEM Laptop 8100 C:\WINDOWS\PSEXESVC.EXE 11808 "cmd" 1
NT AUTHORITY\SYSTEM Laptop 816 C:\WINDOWS\system32\services.exe 8100 C:\WINDOWS\PSEXESVC.EXE 1

In this example I would like to find the below.

C:\WINDOWS\system32\services.exe->C:\WINDOWS\PSEXESVC.EXE->"cmd"->whoami

0 Karma

New Member

Basically I would like some how to check the Process4 and then to check backwards Process3-Process2-Process1.

Basically I would like to find the full tree of the processes when I am selecting the Process4 .

0 Karma

Ultra Champion

which is ParentProcess?

0 Karma

New Member

The Process 1 is the parent process of Process 2
The Process 2 is the parent process of Process 3
The Process 3 is the parent process of Process 4

So in the above example I would like to find away to get the full chain from process 4 to process 1.

0 Karma

Ultra Champion

Have you tried my second query?

0 Karma

SplunkTrust
SplunkTrust

So, you want to keep the rows with Process4, and any rows connected to any process that is connected to that one, recursively?

0 Karma

New Member

Yes exactly this one.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!