Splunk Search

Need help to speed up a search

lgrachek
Explorer

the below search is what I have working now to see what users are not in the first event code.

index="wineventlog" EventCode="4723" status=success | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})" | stats count by user | table user| map search="search index="wineventlog" EventCode="4724" NOT user=$user$ status=success" | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)" |dedup _time| table _time, src_user, user,msad_action,status, ComputerName| rename src_user as "Admin Account", user as "ICFI Account", msad_action as "Action", status as "Result", ComputerName as "Domain Controller" | sort "Admin Account"

is there any way to speed this up it is taking a long time.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

It's slow because you're using a sub-search to iterate through a list of users and comparing them to what you have indexed. You need to re-write the search to exclude the map command and search two indexes and compare from index one to index two via stats

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

It's slow because you're using a sub-search to iterate through a list of users and comparing them to what you have indexed. You need to re-write the search to exclude the map command and search two indexes and compare from index one to index two via stats

0 Karma

lgrachek
Explorer

I guess I have not used stats like that before. how would you compare the two (index="wineventlog" EventCode="4723" status=success) OR (index="wineventlog" EventCode="4724" status=success) and find the the users in EventCode="4724" that are not in EventCode="4723"

we are trying to see if a user changes their own password after a Admin changed it for them.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Looks like it's the same index, so you will just compare eventcodes, same idea.. This is untested and may need to be tweeked

index="wineventlog" (EventCode="4723"  OR EventCode="4724")  status=success
| regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"
| stats count(src_user) AS count values(src_user) by EventCode
| where count!=1
| search EventCode="4723"
0 Karma

lgrachek
Explorer

Ok so that I know how thestatsworks you are just counting the src_user in both events and use the where to find the users that are not in the search evnetcode=4724.

I flipped the eventcodes to get what the old search found.
sorry for this but I'm just trying to get my head around this so that I can add on to that.
I still have to remove events where the user was disabled after the password change and that is 4725. the below search is what I changed on it.

index="wineventlog" (EventCode="4723"  OR EventCode="4724" OR EventCode="4725")  status=success
 | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"
 | stats count(src_user) AS count values(src_user) by EventCode
 | where count!=1
 | search EventCode="4724"
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes, correct.. We are searching that index to bring back 2 event codes. We are then using stats to break it into a table form which will count the user by each unique EventCode. That by clause is breaking your EventCode into 2 rows with a single column. The where command is only returning results where a user is present in both EventCode's. So either eventcode could have a user present, but the last line is only sort for EventCode=4724

If this solved your issue, please accept the answer

0 Karma

lgrachek
Explorer

ok so If I add the one more event code it should still work?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Depends what you're looking for.. If you add an additional eventcode, with the current where filter, it will show a table view where users exist in atleast 2 of the 3 eventcodes listed.

0 Karma

lgrachek
Explorer

ok So what I need to do is find users that are in event code 4724 but not is the other two event codes 4723 and 4725. that is what I'm looking to get out of this and then send it to a dashboard showing the total number of eventcode 4724.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes.. Please accept the answer as I gave you the correct SPL to solve your problem..

0 Karma

sandeepmakkena
Contributor

which code is for admin password change and which is for user change.

0 Karma

lgrachek
Explorer

EventCode="4724" is the admin change password and 4723 is for the user changing their own password

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...