Splunk Search
Highlighted

Need help to speed up a search

Explorer

the below search is what I have working now to see what users are not in the first event code.

index="wineventlog" EventCode="4723" status=success | regex srcuser="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})" | stats count by user | table user| map search="search index="wineventlog" EventCode="4724" NOT user=$user$ status=success" | regex srcuser="(\b\d{5}ss\b)|([N]\d{6}ss)" |dedup time| table _time, srcuser, user,msadaction,status, ComputerName| rename srcuser as "Admin Account", user as "ICFI Account", msad_action as "Action", status as "Result", ComputerName as "Domain Controller" | sort "Admin Account"

is there any way to speed this up it is taking a long time.

0 Karma
Highlighted

Re: Need help to speed up a search

SplunkTrust
SplunkTrust

It's slow because you're using a sub-search to iterate through a list of users and comparing them to what you have indexed. You need to re-write the search to exclude the map command and search two indexes and compare from index one to index two via stats

View solution in original post

0 Karma
Highlighted

Re: Need help to speed up a search

Explorer

I guess I have not used stats like that before. how would you compare the two (index="wineventlog" EventCode="4723" status=success) OR (index="wineventlog" EventCode="4724" status=success) and find the the users in EventCode="4724" that are not in EventCode="4723"

we are trying to see if a user changes their own password after a Admin changed it for them.

0 Karma
Highlighted

Re: Need help to speed up a search

Contributor

which code is for admin password change and which is for user change.

0 Karma
Highlighted

Re: Need help to speed up a search

Explorer

EventCode="4724" is the admin change password and 4723 is for the user changing their own password

0 Karma
Highlighted

Re: Need help to speed up a search

SplunkTrust
SplunkTrust

Looks like it's the same index, so you will just compare eventcodes, same idea.. This is untested and may need to be tweeked

index="wineventlog" (EventCode="4723"  OR EventCode="4724")  status=success
| regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"
| stats count(src_user) AS count values(src_user) by EventCode
| where count!=1
| search EventCode="4723"
0 Karma
Highlighted

Re: Need help to speed up a search

Explorer

Ok so that I know how thestatsworks you are just counting the src_user in both events and use the where to find the users that are not in the search evnetcode=4724.

I flipped the eventcodes to get what the old search found.
sorry for this but I'm just trying to get my head around this so that I can add on to that.
I still have to remove events where the user was disabled after the password change and that is 4725. the below search is what I changed on it.

index="wineventlog" (EventCode="4723"  OR EventCode="4724" OR EventCode="4725")  status=success
 | regex src_user="(\b\d{5}ss\b)|([N]\d{6}ss)|(\b\d{5})|([N]\d{6})"
 | stats count(src_user) AS count values(src_user) by EventCode
 | where count!=1
 | search EventCode="4724"
0 Karma
Highlighted

Re: Need help to speed up a search

SplunkTrust
SplunkTrust

Yes, correct.. We are searching that index to bring back 2 event codes. We are then using stats to break it into a table form which will count the user by each unique EventCode. That by clause is breaking your EventCode into 2 rows with a single column. The where command is only returning results where a user is present in both EventCode's. So either eventcode could have a user present, but the last line is only sort for EventCode=4724

If this solved your issue, please accept the answer

0 Karma
Highlighted

Re: Need help to speed up a search

Explorer

ok so If I add the one more event code it should still work?

0 Karma
Highlighted

Re: Need help to speed up a search

SplunkTrust
SplunkTrust

Depends what you're looking for.. If you add an additional eventcode, with the current where filter, it will show a table view where users exist in atleast 2 of the 3 eventcodes listed.

0 Karma