Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Quick SPL help with Windows Logs!

dfurtaw
Path Finder
‎04-19-2022 05:29 AM

Good day all,

I come to seek guidance from the experts 🙂

My team and I have been tasked with creating an alert that will capture hosts that start a Windows AV scan (EventCode=1000) on a Friday and don't complete by Monday. These long running scans are causing issues in the environment and we are hoping to tackle them before the start of business on Monday.

The hosts log EventCode=1001 OR EventCode=1002 when they have stopped their scan.

We have attempted to put together a couple queries, one using a subsearch that grabs all hosts who have logged EventCode=1000 that is piped into an outer search that does a NOT EventCode=1001 OR EventCode=1002 and the second using the transaction command with the following syntax:

 

<base search> | transaction maxspan=3d startswith=EventCode="1000" endswith=(EventCode="1001" OR EventCode="1002") keeporphans=true | where _txn_orphan=1
| stats count by ComputerName

 

but get no results. I do know that the transaction command is a hog and is generally recommended against. I wanted to ask the collective any thoughts or ideas on this to see the best practice for this type of search. I have read a couple posts using streamstats but I'm not sure if this is the best route for this specific example here As always, it is greatly appreciated. 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-19-2022 04:15 PM

Depending on the data using maxspan of 3 days for transaction is going to be difficult to diagnose. It will silently handle buffer/memory size issues, so you will rarely know if your results are reliable.

I would always starts with stats, e.g.

 

<search> EventCode=1000 OR EventCode=1001 OR EventCode=1002
| stats list(_time) as times list(EventCode) as Codes by ComputerName
| where mvcount(Codes)=1 AND mvindex(Codes,0)="1000"

 

Assuming the search is run from the Friday to some point later, then this would return you all ComputerName results where there is ONLY a single result for ComputerName and it is a 1000 EventCode

Effectively this gives you all the open scans currently in progress.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...