Splunk Search

Quick SPL help with Windows Logs!

Path Finder

Good day all,

I come to seek guidance from the experts 🙂

My team and I have been tasked with creating an alert that will capture hosts that start a Windows AV scan (EventCode=1000) on a Friday and don't complete by Monday. These long running scans are causing issues in the environment and we are hoping to tackle them before the start of business on Monday.

The hosts log EventCode=1001 OR EventCode=1002 when they have stopped their scan.

We have attempted to put together a couple queries, one using a subsearch that grabs all hosts who have logged EventCode=1000 that is piped into an outer search that does a NOT EventCode=1001 OR EventCode=1002 and the second using the transaction command with the following syntax:


<base search> | transaction maxspan=3d startswith=EventCode="1000" endswith=(EventCode="1001" OR EventCode="1002") keeporphans=true | where _txn_orphan=1
| stats count by ComputerName


but get no results. I do know that the transaction command is a hog and is generally recommended against. I wanted to ask the collective any thoughts or ideas on this to see the best practice for this type of search. I have read a couple posts using streamstats but I'm not sure if this is the best route for this specific example here As always, it is greatly appreciated. 

Labels (3)
0 Karma


Depending on the data using maxspan of 3 days for transaction is going to be difficult to diagnose. It will silently handle buffer/memory size issues, so you will rarely know if your results are reliable.

I would always starts with stats, e.g.


<search> EventCode=1000 OR EventCode=1001 OR EventCode=1002
| stats list(_time) as times list(EventCode) as Codes by ComputerName
| where mvcount(Codes)=1 AND mvindex(Codes,0)="1000"


Assuming the search is run from the Friday to some point later, then this would return you all ComputerName results where there is ONLY a single result for ComputerName and it is a 1000 EventCode

Effectively this gives you all the open scans currently in progress.



0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...