Re: Show 2 eventcode fields

splunkcol · ‎07-07-2023

Hi

I need to run this query, I don't know what I'm missing but when I run it the src_ip field doesn't show me anything, I don't know what I'm missing.

Can you help me?

index=main source="WinEventLog:*" EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7 |  table _time, host, user, New_Process_Name, Process_Command_Line | rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando"

Someone tried to help me and suggested this query but I don't know if it is correct but it doesn't show me the value of the src_ip field.

index=main source="WinEventLog:*" (EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7)
| table _time, host, user, New_Process_Name, Process_Command_Line
| rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando"
| join type=inner src_ip [ search index=main source="WinEventLog:*" EventCode=4624 | table EventCode, src_ip ]

inventsekar · ‎07-07-2023

index=main source="WinEventLog:*" EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7 
|  table _time, host, user, New_Process_Name, Process_Command_Line src_ip

when you run this, do you get src_ip results ah..

Best Regards,
Sekar
my youtube channel for Splunk Newbie Learnings
https://www.youtube.com/@SiemNewbies101/videos

How to show 2 eventcode fields?

count

join

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation