Splunk Search

Return Timestamp from inner and outter search

shayvdee
Explorer

Hi,
I am trying to create a search that finds two sequential events. So far I have:

index=wineventlog EventCode=4624 [ search index=wineventlog EventCode=4625 | eval earliest=_time | eval latest=_time+600 | fields earliest latest ComputerName ]

This works and returns successful windows logins that follow a failed login within a 10min period. What I want to do though is return a table that shows the time that the first event occurred and the time that the second triggering event occurred. I tried appending:

| table ComputerName earliest _time

But the earliest field comes back blank when I want that to be showing the time stamp fo the event that matched the subsearch.

Any help would be appreciated. Thanks.

0 Karma
1 Solution

nareshinsvu
Builder

Are you trying to match anything from your sub-search? if not, can you try this?

index=wineventlog earliest="-10m@m" latest="now" EventCode=4624 OR EventCode=4625 | fields _time EventCode ComputerName 

View solution in original post

0 Karma

nareshinsvu
Builder

Are you trying to match anything from your sub-search? if not, can you try this?

index=wineventlog earliest="-10m@m" latest="now" EventCode=4624 OR EventCode=4625 | fields _time EventCode ComputerName 
0 Karma

shayvdee
Explorer

Hi @nareshinsvu

Thanks for your answer.

I need to match the ComputerName from the subsearch and then use the time from the subsearch to find other events in the same time period.

In the example, I want to find all successful logins over the last week that occur within 10min of a failed login on the same computer.

Thanks.

0 Karma

nareshinsvu
Builder

Sorry, I read it wrong. Can you try this? tweak the time format according to your need. Hope this should help now?

index=wineventlog EventCode=4624 OR EventCode=4625 
| eval failed_time=if(EventCode=4625,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"") 
|eval Success_time=if(EventCode=4624,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"") 
| stats list(EventCode) as EventCode range(_time) AS duration values(failed_time) as failed_time values(Success_time) as Success_time BY ComputerName 
| rex field=duration mode=sed "s/\..*$//" 
| where duration <600

shayvdee
Explorer

Thanks. Not quite working yet, but I think you have pointed me down the right track.

Thanks.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...