Re: Show 2 eventcode fields

splunkcol · ‎07-07-2023

Hi

I need to run this query, I don't know what I'm missing but when I run it the src_ip field doesn't show me anything, I don't know what I'm missing.

Can you help me?

index=main source="WinEventLog:*" EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7 |  table _time, host, user, New_Process_Name, Process_Command_Line | rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando"

Someone tried to help me and suggested this query but I don't know if it is correct but it doesn't show me the value of the src_ip field.

index=main source="WinEventLog:*" (EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7)
| table _time, host, user, New_Process_Name, Process_Command_Line
| rename host AS Host, user AS Usuario, New_Process_Name AS "Proceso nuevo", Process_Command_Line AS "Comando"
| join type=inner src_ip [ search index=main source="WinEventLog:*" EventCode=4624 | table EventCode, src_ip ]

inventsekar · ‎07-07-2023

index=main source="WinEventLog:*" EventCode=4688 Creator_Process_Name="*wmiprvse.exe" AND NOT Logon_ID=0x3E7 
|  table _time, host, user, New_Process_Name, Process_Command_Line src_ip

when you run this, do you get src_ip results ah..

Best Regards,
Sekar
my youtube channel for Splunk Newbie Learnings
https://www.youtube.com/@SiemNewbies101/videos

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

How to show 2 eventcode fields?

count

join

stats

table

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation