Hi All,
I'm pretty new to Splunk so forgive me if this is an easy question.
I'm trying to figure out how to a) search for an event and then b) search for different events that happened before/after the event.
For example, I want to search failed logins for a certain account, and then try to find other login events for that host 5 mins before and after. I can figure out how to search for the events individually, but don't know how to combine them and then format them into something like a table.
So my first search would be:
index="wineventlog" EventCode=4768 Result_Code=0x6
And the second search would be based on the first search, but for a different event code:
search index="wineventlog" EventCode=4624 | "filter by the results of the first search 5 mins before/after each event"
Eventually I'd want to get to a table similar to this:
Time Event Supporting Events
Jan 18 @ 10:01am Event 1 Jan 18 @ 10:03am Event 1a
Jan 18 @ 10:02am Event 1b
Jan 17 @ 7:33am Event 2 Jan 17 @ 7:35am Event 2a
Jan 17 @ 7:32am Event 2b
ect...etc...
Thanks!
Thank you! I just had to add some brackets, but that gave me exactly the results I was looking for.
index="wineventlog" (EventCode=4624 OR (EventCode=4768 Result_Code=0x6))
[ search index="wineventlog" EventCode=4768 Result_Code=0x6
| table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip
The logic is inverted in the following. Try
index="wineventlog" EventCode=4624
[ index="wineventlog" EventCode=4768 Result_Code=0x6
| eval earliest = relative_time(_time, "-5m"), latest = relative_time(_time, "+5m")
| table earliest latest]
Thank you! That definitely helped my think about what I needed to do, and I was able to get this half-working:
index="wineventlog" EventCode=4624
[ search index="wineventlog" EventCode=4768 Result_Code=0x6
| table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip
My issue now is that this only returns the Account_Name values from the outside search (EventCode=4624) and not the Account_Name values from the subsearch (EventCode=4768 Result_Code=0x6).
Is there a way to pass/combine the results of the subsearch into the main search?
No, there is no way to "pass" results into a subsearch but you can get the values passed to the output. The logic is kind of straightforward, albeit requiring a bit of thinking.
Here, I assume that you want to place all those Account_Name into the same pot:
index="wineventlog" (EventCode=4624 OR EventCode=4768 Result_Code=0x6)
[ search index="wineventlog" EventCode=4768 Result_Code=0x6
| table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip
Thank you! I just had to add some brackets, but that gave me exactly the results I was looking for.
index="wineventlog" (EventCode=4624 OR (EventCode=4768 Result_Code=0x6))
[ search index="wineventlog" EventCode=4768 Result_Code=0x6
| table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip