- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Return Timestamp from inner and outter search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to create a search that finds two sequential events. So far I have:
index=wineventlog EventCode=4624 [ search index=wineventlog EventCode=4625 | eval earliest=_time | eval latest=_time+600 | fields earliest latest ComputerName ]
This works and returns successful windows logins that follow a failed login within a 10min period. What I want to do though is return a table that shows the time that the first event occurred and the time that the second triggering event occurred. I tried appending:
| table ComputerName earliest _time
But the earliest field comes back blank when I want that to be showing the time stamp fo the event that matched the subsearch.
Any help would be appreciated. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to match anything from your sub-search? if not, can you try this?
index=wineventlog earliest="-10m@m" latest="now" EventCode=4624 OR EventCode=4625 | fields _time EventCode ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to match anything from your sub-search? if not, can you try this?
index=wineventlog earliest="-10m@m" latest="now" EventCode=4624 OR EventCode=4625 | fields _time EventCode ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nareshinsvu
Thanks for your answer.
I need to match the ComputerName from the subsearch and then use the time from the subsearch to find other events in the same time period.
In the example, I want to find all successful logins over the last week that occur within 10min of a failed login on the same computer.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I read it wrong. Can you try this? tweak the time format according to your need. Hope this should help now?
index=wineventlog EventCode=4624 OR EventCode=4625
| eval failed_time=if(EventCode=4625,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"")
|eval Success_time=if(EventCode=4624,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"")
| stats list(EventCode) as EventCode range(_time) AS duration values(failed_time) as failed_time values(Success_time) as Success_time BY ComputerName
| rex field=duration mode=sed "s/\..*$//"
| where duration <600
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Not quite working yet, but I think you have pointed me down the right track.
Thanks.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
