Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Strange Splunk Search Exclusion Results

johann2017
Explorer
‎01-10-2020 06:46 AM

Hello. I am creating a search to see when the Account_Name called "helpdesk" logs in via EventCode 4624 with Logon_Type=3. My goal is to see what source machines (src_nt_host) normally perform this logon behavior with that account name. After I find the source machines I will exclude them in the search so I can alert off of it.

A search going back the past 3 months below brings back five different source machines (src_nt_host).

Here is the strange part - when I exclude one of those five source machines using src_nt_host!=machineA then rerun the search, it brings back more source machines that never showed up in the original search! Any clue why this is occurring? It would be awesome if I could figure out what is going on!

index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TISKAR
Builder
‎01-10-2020 06:56 AM

Hello,

Can you please add the option of | sort 0 - _time command like this:

**index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort 0 - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature*

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Sort

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

TISKAR
Builder
‎01-10-2020 06:56 AM

Hello,

Can you please add the option of | sort 0 - _time command like this:

**index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort 0 - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature*

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Sort

0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎01-10-2020 07:33 AM

Hello TISKAR. I tried it but it made no difference...

0 Karma
Reply
Solved! Jump to solution

TISKAR
Builder
‎01-10-2020 07:39 AM

Can you please run this request: 

index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | stats count

And compar result with: 

index=-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk NOT  src_nt_host=machineA | stats count
0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎01-10-2020 07:59 AM

First search (no exclusions) = 450,073

Second search (with the machineA exclusion) = 79,947

0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎01-10-2020 08:12 AM

If I run these two searches, the Statistics totals are 29 and 28 - only off by one (which makes sense because I excluded only one machine). Therefore that seems to add up correctly. Not sure why my original search only showed 5 systems.

index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator | table src_nt_host | dedup src_nt_host

index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator src_nt_host!=machineA | table src_nt_host | dedup src_nt_host

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top