I can do the following separately, and I get the results I want.
index="wineventlog" EventIdentifier="4624" | dedup ComputerName
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name
I'm having trouble combining the two.
It really depends on what you are trying to do (your question is too vague). Try this:
index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]
Or this:
index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name
This should do it
index="wineventlog" (EventIdentifier="4624") OR ( EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*")) | eval dedupfield=if(EventIdentifier="4624", ComputerName, New_Process_Name) | dedup dedupfield
It really depends on what you are trying to do (your question is too vague). Try this:
index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]
Or this:
index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name
You need ...| append [**search** index ...]
Yes, fixed. now.
As I said, I want to combine the two searches. I don't know how I can make it any more specific than that.
First throws an error ("unknown command index") and second only matches event 4688.
use comma to combine multiple dedup fields .
dedup Computer_Name,New_Process_Name
Same results as using woodcock's answer. I only get results for event 4688.
What results are you looking for?
did you tried with the "append" command?
Bye.
Giuseppe
index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search index="wineventlog" EventIdentifier="4688" (New_Process_Name="word.exe" OR New_Process_Name="excel.exe" OR New_Process_Name="outlook.exe") | dedup New_Process_Name]
are you sure that the searches have results? I trided on my Splunk and I have the addition of the two searches
Bye.
Giuseppe
They did. As I said in my OP, both searches on their own produce results.
Just now got append working.