Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multiple event code search

cyberfan
Explorer
‎09-30-2020 06:18 AM

we want to detect the multiple events together, for example, we want to find out those events which have event 4741 and event 4743 happen together.

scenario 1: at certain time (2020.3.20 18:00:00)  both 4741 and 4743 happen together

Scenario2: the interval between 4741 and 4743 is short (less than 2 second)

how to define SPL for these two scenarios, do we need correlation search?

Labels (1)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-30-2020 08:24 AM

Scenario 1 is fairly easy, scenario 2 can be harder, but maybe not.

Scenario 1: As long as you have a way to separate different "instances" of 4741 and 4743 (e.g. "by user" or something), then

index=foo sourcetype=bar (eventId=4741 OR eventId=4743)
| stats count by _time, <user>
| where count>=2

That's obviously just sort of tossed together pseudocode, but should get you close.  It relies on the timestamps being the same (to second resolution) for two events for the same user.

Scenario 2: some questions.

Are these two events expecting to be in a particular order or might they be in either order?

What's the approximate volume of the source data, and how often they'll match? 

Answers that work really well with a few hundred or thousand events and which can be easily understood, like transaction, are not necessarily the same answers as if there's a few million/billion per day.  For the latter, we may have to sort of "approximate" what "2 seconds apart" means very slightly which will work LOTS faster on bigger data sets but may not quite work as perfectly or at least be as understandable as a simpler, slower solution.

Let me know about those latter questions and I'm sure we can get you moving on that one too.

(Now that I've said that, someone will probably answer it with a generic and good search... 🙂 and that'd be perfect!  Besides, you can give karma to more than one answer!)

Happy Splunking,

Rich

0 Karma
Reply

cyberfan
Explorer
‎09-30-2020 08:45 PM

Hi Ri,

 

Thanks, but the OR condition does not mean the chain of events happen at short time interval, say less than 0.05 seconds, right?

also I want sam account="abc" in event 4741 and sid="xyz"  in event 4743, do you suggest "

(event  id=4741 and sam="abc") or (event id=4743 and sid="xyz") then count>2?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...