Solved: How to search for an event and other surrounding e...

security_mike · ‎01-18-2023

Hi All,

I'm pretty new to Splunk so forgive me if this is an easy question.

I'm trying to figure out how to a) search for an event and then b) search for different events that happened before/after the event.

For example, I want to search failed logins for a certain account, and then try to find other login events for that host 5 mins before and after. I can figure out how to search for the events individually, but don't know how to combine them and then format them into something like a table.

So my first search would be:

index="wineventlog" EventCode=4768 Result_Code=0x6

And the second search would be based on the first search, but for a different event code:

search index="wineventlog" EventCode=4624 | "filter by the results of the first search 5 mins before/after each event"

Eventually I'd want to get to a table similar to this:

Time Event Supporting Events

Jan 18 @ 10:01am Event 1 Jan 18 @ 10:03am Event 1a

Jan 18 @ 10:02am Event 1b

Jan 17 @ 7:33am Event 2 Jan 17 @ 7:35am Event 2a

Jan 17 @ 7:32am Event 2b

ect...etc...

Thanks!

security_mike · ‎01-26-2023

Thank you! I just had to add some brackets, but that gave me exactly the results I was looking for.

index="wineventlog" (EventCode=4624 OR (EventCode=4768 Result_Code=0x6))
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

View solution in original post

yuanliu · ‎01-18-2023

The logic is inverted in the following. Try

index="wineventlog" EventCode=4624
    [ index="wineventlog" EventCode=4768 Result_Code=0x6
    | eval earliest = relative_time(_time, "-5m"), latest = relative_time(_time, "+5m")
    | table earliest latest]

security_mike · ‎01-24-2023

Thank you! That definitely helped my think about what I needed to do, and I was able to get this half-working:

index="wineventlog" EventCode=4624
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip] 
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

My issue now is that this only returns the Account_Name values from the outside search (EventCode=4624) and not the Account_Name values from the subsearch (EventCode=4768 Result_Code=0x6).

Is there a way to pass/combine the results of the subsearch into the main search?

yuanliu · ‎01-25-2023

No, there is no way to "pass" results into a subsearch but you can get the values passed to the output. The logic is kind of straightforward, albeit requiring a bit of thinking.

Here, I assume that you want to place all those Account_Name into the same pot:

index="wineventlog" (EventCode=4624 OR EventCode=4768 Result_Code=0x6)
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

security_mike · ‎01-26-2023

Thank you! I just had to add some brackets, but that gave me exactly the results I was looking for.

index="wineventlog" (EventCode=4624 OR (EventCode=4768 Result_Code=0x6))
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

How to search for an event and other surrounding events?

table

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk