Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is search for multiple Windows events failing?

Robert11
Path Finder
‎06-01-2022 09:23 AM

I am running Splunk Enterprise and am trying to create a dashboard panel "Events" search string that pulls multiple Windows Event Log Codes. I am using variations of the code below:

index=windows* sourcetype="WinEventLog:Security" (EventCode>="630" AND EventCode<="640") OR EventCode="641" OR (EventCode>="647" AND EventCode<="668") OR (EventCode>="4726" AND EventCode<="4736") OR EventCode="4737" OR (EventCode>="4743" AND EventCode<="4763") OR EventCode="4764" OR (EventCode>="4782" AND EventCode<="4793")

I also tried this search to no avail:

sourcetype=wineventlog source="WinEventLog:Security" host="xxxx*" EventCode=4625,4624

When I used the second code without the (,4624) it will populate events with 4625 but I have not figured out how to make it pull more than one Event Code properly. It doesn't populate any errors or text failures. It simply presents "no results found. Try expanding the time range" which I went from 15 mins up to YTD. Does Anyone have a Windows Event Search command bank they could share or tell me what to read/explain how to correct my line of code? Thanks!

P.S. the (host=XXXX*) is used as a place holder for my organizations host name

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-01-2022 09:37 AM

@Robert11 - You can do with below two ways:

1. For list of eventcodes, use IN parameter

sourcetype=wineventlog source="WinEventLog:Security" host="xxxx*" EventCode IN (4625,4624)

 

2. For range of eventcode, use where condition, but do not use double quotes as EventCodes are numbers not string.

index=windows* sourcetype="WinEventLog:Security" 
| where (EventCode>=630 AND EventCode<=640) OR EventCode=641 OR (EventCode>=647 AND EventCode<=668) OR (EventCode>=4726 AND EventCode<=4736) OR EventCode=4737 OR (EventCode>=4743 AND EventCode<=4763) OR EventCode=4764 OR (EventCode>=4782 AND EventCode<=4793)

 

I hope this helps!!!

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-01-2022 10:00 AM

HI @Robert11,

let me understand, do you want to search for one of the above EvenCodes or for a combination of them?

I make this question because how an event can have two EventCodes?

If instead you want to match one of the above EventCodes you can use the IN() function, something like this:

index=windows* sourcetype="WinEventLog:Security" EventCode IN ("630","640","641","647","668","4726","4736","4737","4743","4763","4764","4782","4793")

Abou the second search, it cannot run because you need always of a pair fieldname=value, and not multivalue.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Robert11
Path Finder
‎06-01-2022 11:09 AM

@gcuselloBelow are the updated code searches:

sourcetype=wineventlog source="WinEventLog:Security" host="xxxx*" EventCode IN (4647,5137,4691,4660,4736,4716)

The above search provided by an earlier response populates Events correctly (multiple events with different Event Codes e.g 4647 or 5137 it does NOT duplicate answers) so it functions as desired.

index=windows* sourcetype="WinEventLog:Security"
| where (EventCode>=4624 AND EventCode<=4634) OR EventCode=4647 OR (EventCode>=5137 AND EventCode<=4691) OR (EventCode>=4660 AND EventCode<=4736) OR EventCode=4716 OR (EventCode>=4670 AND EventCode<=5136) OR EventCode=6416 OR (EventCode>=6423 AND EventCode<=4964)

The above search does not populate any data even when certain events populated data in the first search e.g (4647: User initiated logoff) it currently shows "no results found. Try expanding the time range." I was under the impression that the (index=windows*) was the field name? If not what would be the proper way to format this text? I have also tried to input (host=xxxx*) after (Security") which did not change the search results or populate any errors. Having tried both with and without a desired host target how can I get this second search to return data with known events such as logons/logoffs that work in other searches? Thank you.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-01-2022 03:10 PM

Hi @Robert11,

if the fist solution solves your need why searching another one?

about the second, try to use "search" instead "where".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-01-2022 09:37 AM

@Robert11 - You can do with below two ways:

1. For list of eventcodes, use IN parameter

sourcetype=wineventlog source="WinEventLog:Security" host="xxxx*" EventCode IN (4625,4624)

 

2. For range of eventcode, use where condition, but do not use double quotes as EventCodes are numbers not string.

index=windows* sourcetype="WinEventLog:Security" 
| where (EventCode>=630 AND EventCode<=640) OR EventCode=641 OR (EventCode>=647 AND EventCode<=668) OR (EventCode>=4726 AND EventCode<=4736) OR EventCode=4737 OR (EventCode>=4743 AND EventCode<=4763) OR EventCode=4764 OR (EventCode>=4782 AND EventCode<=4793)

 

I hope this helps!!!

Reply
Solved! Jump to solution

Robert11
Path Finder
‎06-01-2022 11:11 AM

@VatsalJaganiI used the provided search code(s) with success with the first one but the second did not populate any data even though the codes used in the second populated data. Below is the same response to another answer. Any insight as to why the second search provided does not provide any data?

 

sourcetype=wineventlog source="WinEventLog:Security" host="xxxx*" EventCode IN (4647,5137,4691,4660,4736,4716)

The above search provided by an earlier response populates Events correctly (multiple events with different Event Codes e.g 4647 or 5137 it does NOT duplicate answers) so it functions as desired.

index=windows* sourcetype="WinEventLog:Security"
| where (EventCode>=4624 AND EventCode<=4634) OR EventCode=4647 OR (EventCode>=5137 AND EventCode<=4691) OR (EventCode>=4660 AND EventCode<=4736) OR EventCode=4716 OR (EventCode>=4670 AND EventCode<=5136) OR EventCode=6416 OR (EventCode>=6423 AND EventCode<=4964)

The above search does not populate any data even when certain events populated data in the first search e.g (4647: User initiated logoff) it currently shows "no results found. Try expanding the time range." I was under the impression that the (index=windows*) was the field name? If not what would be the proper way to format this text? I have also tried to input (host=xxxx*) after (Security") which did not change the search results or populate any errors. Having tried both with and without a desired host target how can I get this second search to return data with known events such as logons/logoffs that work in other searches? Thank you.

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎06-01-2022 11:22 AM

Are you using correct index as it points to a index on your splunk instance where all windows data is and it could be of a different name. 

to check the correct index name run Ty e first search and check index field and name of index .

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...