Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use Case for Privileged Users, SPL Question

avoelk
Communicator
‎01-08-2025 08:02 AM

I'm trying to create a search in which the following should be done: 

- look for a user creation process (ID 4720)

- and then look (for the same user) if there is a follow up group adding event (4728) for privileged groups like (512,516 etc.) 

 

my SPL was so far like that: 

 

index=lalala source=lalala EventID=4720 OR 4728 PrimaryGroupId IN (512,516,517,518,519)

 

BUT that way I only look for either a user creation OR a user being added as a privileged user. but I want to like both. I understand that I need to somehow connect those two searches but I don't know how exactly. 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎01-08-2025 12:34 PM

Hi

I think that this is place for sub query like

index=lalala source=lalala EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519) AND
[ search index=lalala source=lalala EventID=4720 
  | fields UserName | dedup UserName | format ]

In this way it first look those UserNames which has created and then that "outer" base search this those (UserName = "xxx" OR UserName = "yy"....)

If you are looking for long period then maybe there is better options too.

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎01-08-2025 12:34 PM

Hi

I think that this is place for sub query like

index=lalala source=lalala EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519) AND
[ search index=lalala source=lalala EventID=4720 
  | fields UserName | dedup UserName | format ]

In this way it first look those UserNames which has created and then that "outer" base search this those (UserName = "xxx" OR UserName = "yy"....)

If you are looking for long period then maybe there is better options too.

r. Ismo 

Reply
Solved! Jump to solution

avoelk
Communicator
‎01-16-2025 10:24 AM

thanks a lot, that was the solution ! 

0 Karma
Reply
Solved! Jump to solution

emlin_charly
Explorer
‎01-08-2025 08:26 AM

Hello hello!

I think what you are looking for here is the `transaction` command, but it can have some extra over-head.  I'll leave some examples here to see if they work for you. Since your requirement is simple, I suggest using the `stats` command instead of `transaction`. If you wanted to look at a specific EventID first and then another specific EventID after, `transaction` might be easier to implement.

Version using `transaction`:

 

index=lalala source=lalala (EventID=4720 OR (EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519)))
| transaction UserName maxspan=5m
| search EventID=4720 AND EventID=4728

 

Version using `stats`:

index=lalala source=lalala (EventID=4720 OR (EventID=4728 AND PrimaryGroupId IN (512,516,517,518,519)))
| stats values(EventID) AS EventIDs by UserName
| search EventIDs=4720 EventIDs=4728


Edit: Fixing the code blocks.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...