Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transaction ends and begins with same code- How to differentiate?

michaeler
Communicator
‎04-12-2021 12:38 PM

I'm trying to differentiate between cd burns and cd read codes from Window Event Viewer using WinZipBurn. From what I've seen, a cd burn will generate event codes 1001, 1003, 1004, and then 1001 again in WinEventLog:Application. Reading from a cd will just generate code '1001.'

 

I'm trying to create a report that will determine if the sequence 1001, 1003, 1004, 1001 occurs within a 10 minute span. I'm not great with transactions so I'm sure there is an error. The following is what I tried:

sourcetype=WinEventLog:Application WinZipBurn
| transaction Account_Name maxspan=10m maxpause=3m
startswith=eval(EventCode="1001")
endswith=eval(EventCode="1001")

I don't think it can tell the difference between the first one and the last. In EventViewer, there is more info that says the cd is blank vs finalized but Splunk isn't pulling it over. 1003 and 1004 are error codes that I'm not sure what for but they only occur in the middle of a burn.

Labels (1)
Labels
0 Karma
Reply

lenguyening
New Member
‎03-03-2023 10:58 AM

I came across this post during my searches for Roxio/WinZip SecureBurn event codes. From my research I have found that this is what each event code means, based off the additional text contained in the Windows Event log:

  • 1001: Blank disk inserted
  • 1003: Writing event started (can correlate with Windows System logs, EVID 133, look for 'cdrom' in the log)
  • 1004: Disk burned, finalized. Key terms from data fields to look for are "Finalized,Closed session"

I have not been able to consistently replicate event 1001 at the beginning and end of the event, but I can consistently replicate event 1003 and 1004, so I've decided to focus on those.

Hope that helps someone!

 

0 Karma
Reply
Get Updates on the Splunk Community!

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Top