Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transaction ends and begins with same code- How to differentiate?

michaeler
Communicator
‎04-12-2021 12:38 PM

I'm trying to differentiate between cd burns and cd read codes from Window Event Viewer using WinZipBurn. From what I've seen, a cd burn will generate event codes 1001, 1003, 1004, and then 1001 again in WinEventLog:Application. Reading from a cd will just generate code '1001.'

 

I'm trying to create a report that will determine if the sequence 1001, 1003, 1004, 1001 occurs within a 10 minute span. I'm not great with transactions so I'm sure there is an error. The following is what I tried:

sourcetype=WinEventLog:Application WinZipBurn
| transaction Account_Name maxspan=10m maxpause=3m
startswith=eval(EventCode="1001")
endswith=eval(EventCode="1001")

I don't think it can tell the difference between the first one and the last. In EventViewer, there is more info that says the cd is blank vs finalized but Splunk isn't pulling it over. 1003 and 1004 are error codes that I'm not sure what for but they only occur in the middle of a burn.

Labels (1)
Labels
0 Karma
Reply

lenguyening
New Member
‎03-03-2023 10:58 AM

I came across this post during my searches for Roxio/WinZip SecureBurn event codes. From my research I have found that this is what each event code means, based off the additional text contained in the Windows Event log:

  • 1001: Blank disk inserted
  • 1003: Writing event started (can correlate with Windows System logs, EVID 133, look for 'cdrom' in the log)
  • 1004: Disk burned, finalized. Key terms from data fields to look for are "Finalized,Closed session"

I have not been able to consistently replicate event 1001 at the beginning and end of the event, but I can consistently replicate event 1003 and 1004, so I've decided to focus on those.

Hope that helps someone!

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top