Splunk Search

Need help to speed up a search

lgrachek
Explorer

the below search is what I have working now to see what users are not in the first event code.

index="wineventlog" EventCode="4723" status=success | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})" | stats count by user | table user| map search="search index="wineventlog" EventCode="4724" NOT user=$user$ status=success" | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)" |dedup _time| table _time, src_user, user,msad_action,status, ComputerName| rename src_user as "Admin Account", user as "ICFI Account", msad_action as "Action", status as "Result", ComputerName as "Domain Controller" | sort "Admin Account"

is there any way to speed this up it is taking a long time.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

It's slow because you're using a sub-search to iterate through a list of users and comparing them to what you have indexed. You need to re-write the search to exclude the map command and search two indexes and compare from index one to index two via stats

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

It's slow because you're using a sub-search to iterate through a list of users and comparing them to what you have indexed. You need to re-write the search to exclude the map command and search two indexes and compare from index one to index two via stats

0 Karma

lgrachek
Explorer

I guess I have not used stats like that before. how would you compare the two (index="wineventlog" EventCode="4723" status=success) OR (index="wineventlog" EventCode="4724" status=success) and find the the users in EventCode="4724" that are not in EventCode="4723"

we are trying to see if a user changes their own password after a Admin changed it for them.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Looks like it's the same index, so you will just compare eventcodes, same idea.. This is untested and may need to be tweeked

index="wineventlog" (EventCode="4723"  OR EventCode="4724")  status=success
| regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"
| stats count(src_user) AS count values(src_user) by EventCode
| where count!=1
| search EventCode="4723"
0 Karma

lgrachek
Explorer

Ok so that I know how thestatsworks you are just counting the src_user in both events and use the where to find the users that are not in the search evnetcode=4724.

I flipped the eventcodes to get what the old search found.
sorry for this but I'm just trying to get my head around this so that I can add on to that.
I still have to remove events where the user was disabled after the password change and that is 4725. the below search is what I changed on it.

index="wineventlog" (EventCode="4723"  OR EventCode="4724" OR EventCode="4725")  status=success
 | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"
 | stats count(src_user) AS count values(src_user) by EventCode
 | where count!=1
 | search EventCode="4724"
0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes, correct.. We are searching that index to bring back 2 event codes. We are then using stats to break it into a table form which will count the user by each unique EventCode. That by clause is breaking your EventCode into 2 rows with a single column. The where command is only returning results where a user is present in both EventCode's. So either eventcode could have a user present, but the last line is only sort for EventCode=4724

If this solved your issue, please accept the answer

0 Karma

lgrachek
Explorer

ok so If I add the one more event code it should still work?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Depends what you're looking for.. If you add an additional eventcode, with the current where filter, it will show a table view where users exist in atleast 2 of the 3 eventcodes listed.

0 Karma

lgrachek
Explorer

ok So what I need to do is find users that are in event code 4724 but not is the other two event codes 4723 and 4725. that is what I'm looking to get out of this and then send it to a dashboard showing the total number of eventcode 4724.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes.. Please accept the answer as I gave you the correct SPL to solve your problem..

0 Karma

sandeepmakkena
Contributor

which code is for admin password change and which is for user change.

0 Karma

lgrachek
Explorer

EventCode="4724" is the admin change password and 4723 is for the user changing their own password

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...