Splunk Search

I am not being able to calculate time difference between two event codes that are 1100 and 13, and also i want to exclude the logs if the interval between these two codes are less than 15 seconds


Am trying below query but its not Working:
index=* (sourcetype=WinEventLog:System OR sourcetype=WinEventLog:Security) (EventCode=1102 OR EventCode=13 OR EventCode=1100) EventType=4 dvc="MS-FR4-EXM-008" <1100> | stats max(_time) as maxtime min(_time) as mintime | eval difference=maxtime-mintime | eval difference=strftime(difference,"%d:%H:%M:%S")

Tags (1)
0 Karma


First, try this part, and see if you are getting the events, and only the events, that you care about. For instance, on my system, those EventIDs do not have an EventType.

index=* (sourcetype=WinEventLog:System OR sourcetype=WinEventLog:Security) (EventCode=1102 OR EventCode=13 OR EventCode=1100) EventType=4 dvc="MS-FR4-EXM-008"

Second, you can simply use range(_time) to get the difference in seconds between the first and last events that are selected...

| stats range(_time) as duration by dvc

However, I think before you do that, you should probably make sure you are dealing with only a single most-recent instance of your event, and that the events happened in the order you care about. In my system, usually 1102 happens, then 1100. I'm not sure when EventCode 13 might occur in the scenario you are trying to detect, so adjust the code as needed...

| rename COMMENT as "1002 audit log cleared, 1000 logging shut down, 13 enrollment error"

| rename COMMENT as "this section sets up individual time fields and copies them to all records for each dvc"
| eval Time1100 = if(EventCode=1100,_time,null())
| eval Time1102 = if(EventCode=1102,_time,null())
| eval Time13 = if(EventCode=13,_time,null())
| eventstats  max(Time1*) as maxTime1* by dvc

| rename COMMENT as "this section drops any records that are not the most recent."
| where ((Time1100==maxTime1100) OR (Time1102==maxTime1102) OR (Time13==maxTime13))

| rename COMMENT as "you should drop any records here that are enough out of order so as to be irrelevant."
| where (isnull(Time1100) OR (Time1100<=maxTime13))
| where (isnull(Time1102) OR (Time1102<=maxTime13))
| where (isnull(Time13) OR (Time13>=maxTime1100) OR (Time13>=maxTime1102))

| rename COMMENT as "here you calculate duration in seconds then in hours for display."
| stats  range(_time) as duration, max(Time1*) as maxTime1* by dvc
| where duration >15
| eval durationHours = round(duration/3600,2)

The section that drops records needs to be revisited based on knowing your data and your strategy for pulling data. For instance, you might want to ignore any 1100 and 1102 records that are after the last 13 record, so you'd use eventstats to find the last 13, then filter to drop all prior 13s and all subsequent 1100s and 1102s. THEN you'd use eventstats again to find the dates of the last 1100 and 1102 and drop all priors.

0 Karma


Maybe transaction command can help you

you can use startswith=EventCode=13 and endswith=EventCode=1100 arguments
also transaction command generates duration field(difference between first and last event) and you can search transactions where duration>=15

Full description of transaction command

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...