Splunk Search

Search- Removed/Added

Michael_Schyma1
Contributor
index="Server" ( CategoryString="Account Management" OR TaskCategory="Security Group Management" ) (Message="Security Enabled*" OR Message="A member was added to a*" OR Message="A member was removed from a*") ("EventCode=624" OR "EventCode=630" OR "EventCode=4720" OR "Eventcode=4726")  | eval caller = if(isnull(Account_Name), Caller_User_Name, mvindex(Account_Name,0)) | eval member = if(isnull(Account_Name), Member_Name, mvindex(Account_Name,1)) | eval group = if(isnull(Target_Account_Name), Group_Name, Target_Account_Name) | rex field=_raw "CN=(?<cname>.+?)," | rex field=_raw "Message=A security-enabled .* was (?<action>.+?)\." | rex field=_raw "was (?<details>\S+)"| table _time host caller details cname| rename _time AS Date/Time cname AS User group AS Group caller AS "Initiator" name AS "Description" host AS "DC" Security_ID AS "Initiator" details AS Action | convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Date/Time)

I can not get the removed field to work, when i put the proper event codes that I want. Does anyone have any suggestions?

Tags (1)
0 Karma

chrismorris
Explorer
  1. Is Eventcode a field or a string?  You are treating it as a string.  If it is a field and not a string, your search won't work
  2. Make sure you are getting the _raw data you expect after your search criteria.  Your rex for is suspect as it doesn't match the case used in the search.

To Ayn's point, what data are you working with and what are you trying to do?

0 Karma

MHibbin
Influencer

Agreed... where is your "removed" field meant to be used, the string "removed" is only mentioned once in your search syntax, and that is part of the initial search command.

Ayn
Legend

It's kind of hard to read your questions - it's a search consisting of 10 dense lines, followed by a very short text about something that does not work. Please include more detail on your use-case, what the desired outcome is, what results you are getting instead and any other details that might help us help you.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...