Splunk Search

Using transaction on a field alias I created for 2 fields with different names in different sourcetypes, why am I unable to group all matching events?

noybin
Communicator

Hi,

I have 2 sourcetypes: wineventlog:security and WinEventLog:Microsoft-Windows-Sysmon/Operational. I have extracted a field from each of them:

[WinEventLog:Microsoft-Windows-Sysmon/Operational]
Extract-LogonIDSysmon = (LogonId:)(\s)*(\t)*(?P<LogonIDSysmon>(0x)?[0-9a-f]+)

[WinEventLog:Security]
EXTRACT-LogonID = (\s)*(\t)*(Logon ID:)(\s)*(\t)*(?P<LogonID>(0x)?[0-9a-f]+)

I need to search the events that match those values grouped together. I tried to use the transaction command and thought this could be done by creating an alias for those fields:

[WinEventLog:Microsoft-Windows-Sysmon/Operational]
FIELDALIAS-LogonIdMulti = LogonIDSysmon AS LogonIdMulti

[WinEventLog:Security]
FIELDALIAS-LogonIdMulti = LogonID AS LogonIdMulti

When I run the search:

index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

Only events from sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational appears.

When I run the search:

index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

I have results and I see the field LogonIdMulti on the left as the other fields.

But when I run the search:

index=* sourcetype="wineventlog:security"  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

I have no results and the field LogonIdMulti doesn't appear.

But when I run:

index=* sourcetype="wineventlog:security"  host="progressive.lightech.ar" | transaction LogonID | sort -_time

I have results. Although the field LogonIdMulti is not listed on the left.

Which is the correct way to achieve my purpose of having all the events that match those fields together as a transaction?

Thank you very much.

Tags (2)
0 Karma
1 Solution

noybin
Communicator

Think I found the solution:

index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational") host="progressive*" | eval LogonIdMix = coalesce(LogonID, LogonIDSysmon) | sort -_time | transaction LogonIdMix

View solution in original post

0 Karma

noybin
Communicator

Think I found the solution:

index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational") host="progressive*" | eval LogonIdMix = coalesce(LogonID, LogonIDSysmon) | sort -_time | transaction LogonIdMix
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...