Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Quick SPL help with Windows Logs!

dfurtaw
Path Finder
‎04-19-2022 05:29 AM

Good day all,

I come to seek guidance from the experts 🙂

My team and I have been tasked with creating an alert that will capture hosts that start a Windows AV scan (EventCode=1000) on a Friday and don't complete by Monday. These long running scans are causing issues in the environment and we are hoping to tackle them before the start of business on Monday.

The hosts log EventCode=1001 OR EventCode=1002 when they have stopped their scan.

We have attempted to put together a couple queries, one using a subsearch that grabs all hosts who have logged EventCode=1000 that is piped into an outer search that does a NOT EventCode=1001 OR EventCode=1002 and the second using the transaction command with the following syntax:

 

<base search> | transaction maxspan=3d startswith=EventCode="1000" endswith=(EventCode="1001" OR EventCode="1002") keeporphans=true | where _txn_orphan=1
| stats count by ComputerName

 

but get no results. I do know that the transaction command is a hog and is generally recommended against. I wanted to ask the collective any thoughts or ideas on this to see the best practice for this type of search. I have read a couple posts using streamstats but I'm not sure if this is the best route for this specific example here As always, it is greatly appreciated. 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-19-2022 04:15 PM

Depending on the data using maxspan of 3 days for transaction is going to be difficult to diagnose. It will silently handle buffer/memory size issues, so you will rarely know if your results are reliable.

I would always starts with stats, e.g.

 

<search> EventCode=1000 OR EventCode=1001 OR EventCode=1002
| stats list(_time) as times list(EventCode) as Codes by ComputerName
| where mvcount(Codes)=1 AND mvindex(Codes,0)="1000"

 

Assuming the search is run from the Friday to some point later, then this would return you all ComputerName results where there is ONLY a single result for ComputerName and it is a 1000 EventCode

Effectively this gives you all the open scans currently in progress.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...