Re: Searching for an Event that occured before a ...

Simple_Search · ‎09-24-2020

Windows does not provide an accurate user who performed an audit policy change on the system (EventCode 4719), it lists System versus the logged in user. I would like to identify EventCode=4719 as the primary event and then search for the closest EventCode=4624 prior to when EventCode=4719 occurred.

I have been checking the splunk community page and google to look for something that meets the need. I cannot seem to grasp this concept and would appreciate the help!

ITWhisperer · ‎09-24-2020

-- your search including (EventCode=4719 OR EventCode=4624)
| streamstats window=2 earliest(EventCode) as previousEventCode earliest(_raw) as previousEvent 
| where EventCode = 4719 AND EventCode != previousEventCode 
| table previousEvent

Simple_Search · ‎09-24-2020

Appreciate the quick response to this! It did return some results but with a multi-machine environment (which I did not disclose) did not return what I was anticipating. I made some modifications and here is what I would like to see....

For each 4719 Event from 100's of machines

Hostname

Time of Event for 4719

Message from 4719

Time of Event for 4624

Message from 4624

Searching for an Event that occured before a Specific Event

other

subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!