Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearch? Transaction? I'm not sure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
I'm not sure what type of search I need to use...
What I would like to do is the following;
Search for EventId 4688, 4624, 4672, 4688, 4689 all within a few seconds.
I can't seem to get it to work using transaction.
Here is what I have just as a test:
source="WinEventLog:Security" * |transaction "EventCode=4688" "EventCode=4689" maxspan=30s maxpause=5s
I would think I should get something back from this as it's a simple, Process Created, Process Exited.
Make sense?
This is where I got the idea - http://www.sysforensics.org/2012/04/splunk-and-malware-fun.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What did you try that did not work?
transaction sounds like exactly what you should use. Something like:
EventId=4688 OR EventId=4624 OR EventId=4672 OR EventId=4688 OR EventId=4689| transaction maxspan=10s | search EventId=4688 AND EventId=4624 AND EventId=4672 AND EventId=4688 AND EventId=4689
This retrieves all the events of interest, then puts them together in transactions spanning max 10 seconds (you might want to perform this transaction on a field as well, like host, to avoid events from different sources overlapping each other), and finally searches for transactions that contain all the EventId's.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What did you try that did not work?
transaction sounds like exactly what you should use. Something like:
EventId=4688 OR EventId=4624 OR EventId=4672 OR EventId=4688 OR EventId=4689| transaction maxspan=10s | search EventId=4688 AND EventId=4624 AND EventId=4672 AND EventId=4688 AND EventId=4689
This retrieves all the events of interest, then puts them together in transactions spanning max 10 seconds (you might want to perform this transaction on a field as well, like host, to avoid events from different sources overlapping each other), and finally searches for transactions that contain all the EventId's.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
