Splunk Search

Using transaction on a field alias I created for 2 fields with different names in different sourcetypes, why am I unable to group all matching events?

noybin
Communicator

Hi,

I have 2 sourcetypes: wineventlog:security and WinEventLog:Microsoft-Windows-Sysmon/Operational. I have extracted a field from each of them:

[WinEventLog:Microsoft-Windows-Sysmon/Operational]
Extract-LogonIDSysmon = (LogonId:)(\s)*(\t)*(?P<LogonIDSysmon>(0x)?[0-9a-f]+)

[WinEventLog:Security]
EXTRACT-LogonID = (\s)*(\t)*(Logon ID:)(\s)*(\t)*(?P<LogonID>(0x)?[0-9a-f]+)

I need to search the events that match those values grouped together. I tried to use the transaction command and thought this could be done by creating an alias for those fields:

[WinEventLog:Microsoft-Windows-Sysmon/Operational]
FIELDALIAS-LogonIdMulti = LogonIDSysmon AS LogonIdMulti

[WinEventLog:Security]
FIELDALIAS-LogonIdMulti = LogonID AS LogonIdMulti

When I run the search:

index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

Only events from sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational appears.

When I run the search:

index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

I have results and I see the field LogonIdMulti on the left as the other fields.

But when I run the search:

index=* sourcetype="wineventlog:security"  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

I have no results and the field LogonIdMulti doesn't appear.

But when I run:

index=* sourcetype="wineventlog:security"  host="progressive.lightech.ar" | transaction LogonID | sort -_time

I have results. Although the field LogonIdMulti is not listed on the left.

Which is the correct way to achieve my purpose of having all the events that match those fields together as a transaction?

Thank you very much.

Tags (2)
0 Karma
1 Solution

noybin
Communicator

Think I found the solution:

index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational") host="progressive*" | eval LogonIdMix = coalesce(LogonID, LogonIDSysmon) | sort -_time | transaction LogonIdMix

View solution in original post

0 Karma

noybin
Communicator

Think I found the solution:

index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational") host="progressive*" | eval LogonIdMix = coalesce(LogonID, LogonIDSysmon) | sort -_time | transaction LogonIdMix
0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...