Splunk Search

How to search for an event and other surrounding events?

security_mike
Explorer

Hi All,

I'm pretty new to Splunk so forgive me if this is an easy question.

I'm trying to figure out how to a) search for an event and then b) search for different events that happened before/after the event.

For example, I want to search failed logins for a certain account, and then try to find other login events for that host 5 mins before and after. I can figure out how to search for the events individually, but don't know how to combine them and then format them into something like a table.

So my first search would be:

index="wineventlog" EventCode=4768 Result_Code=0x6

And the second search would be based on the first search, but for a different event code:

search index="wineventlog" EventCode=4624 | "filter by the results of the first search 5 mins before/after each event"

Eventually I'd want to get to a table similar to this:

Time                                  Event                                  Supporting Events

Jan 18 @ 10:01am    Event 1                               Jan 18 @ 10:03am              Event 1a

                                                                                         Jan 18 @ 10:02am              Event 1b

Jan 17 @ 7:33am       Event 2                              Jan 17 @ 7:35am                 Event 2a

                                                                                        Jan 17 @ 7:32am                 Event 2b

ect...etc...

Thanks!

Labels (1)
Tags (1)
0 Karma
1 Solution

security_mike
Explorer

Thank you! I just had to add some brackets, but that gave me exactly the results I was looking for.

index="wineventlog" (EventCode=4624 OR (EventCode=4768 Result_Code=0x6))
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

 

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The logic is inverted in the following.  Try

index="wineventlog" EventCode=4624
    [ index="wineventlog" EventCode=4768 Result_Code=0x6
    | eval earliest = relative_time(_time, "-5m"), latest = relative_time(_time, "+5m")
    | table earliest latest]
Tags (1)

security_mike
Explorer

Thank you! That definitely helped my think about what I needed to do, and I was able to get this half-working:

index="wineventlog" EventCode=4624
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip] 
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

My issue now is that this only returns the Account_Name values from the outside search (EventCode=4624) and not the Account_Name values from the subsearch (EventCode=4768 Result_Code=0x6).

Is there a way to pass/combine the results of the subsearch into the main search?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

No, there is no way to "pass" results into a subsearch but you can get the values passed to the output.  The logic is kind of straightforward, albeit requiring a bit of thinking.

Here, I assume that you want to place all those Account_Name into the same pot:

index="wineventlog" (EventCode=4624 OR EventCode=4768 Result_Code=0x6)
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

security_mike
Explorer

Thank you! I just had to add some brackets, but that gave me exactly the results I was looking for.

index="wineventlog" (EventCode=4624 OR (EventCode=4768 Result_Code=0x6))
    [ search index="wineventlog" EventCode=4768 Result_Code=0x6
    | table src_ip]
| stats count, distinct_count(Account_Name), values(Account_Name) by src_ip

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...