Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Quick SPL help with Windows Logs!

dfurtaw
Path Finder
‎04-19-2022 05:29 AM

Good day all,

I come to seek guidance from the experts 🙂

My team and I have been tasked with creating an alert that will capture hosts that start a Windows AV scan (EventCode=1000) on a Friday and don't complete by Monday. These long running scans are causing issues in the environment and we are hoping to tackle them before the start of business on Monday.

The hosts log EventCode=1001 OR EventCode=1002 when they have stopped their scan.

We have attempted to put together a couple queries, one using a subsearch that grabs all hosts who have logged EventCode=1000 that is piped into an outer search that does a NOT EventCode=1001 OR EventCode=1002 and the second using the transaction command with the following syntax:

 

<base search> | transaction maxspan=3d startswith=EventCode="1000" endswith=(EventCode="1001" OR EventCode="1002") keeporphans=true | where _txn_orphan=1
| stats count by ComputerName

 

but get no results. I do know that the transaction command is a hog and is generally recommended against. I wanted to ask the collective any thoughts or ideas on this to see the best practice for this type of search. I have read a couple posts using streamstats but I'm not sure if this is the best route for this specific example here As always, it is greatly appreciated. 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-19-2022 04:15 PM

Depending on the data using maxspan of 3 days for transaction is going to be difficult to diagnose. It will silently handle buffer/memory size issues, so you will rarely know if your results are reliable.

I would always starts with stats, e.g.

 

<search> EventCode=1000 OR EventCode=1001 OR EventCode=1002
| stats list(_time) as times list(EventCode) as Codes by ComputerName
| where mvcount(Codes)=1 AND mvindex(Codes,0)="1000"

 

Assuming the search is run from the Friday to some point later, then this would return you all ComputerName results where there is ONLY a single result for ComputerName and it is a 1000 EventCode

Effectively this gives you all the open scans currently in progress.

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...