Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multiple event code search

cyberfan
Explorer
‎09-30-2020 06:18 AM

we want to detect the multiple events together, for example, we want to find out those events which have event 4741 and event 4743 happen together.

scenario 1: at certain time (2020.3.20 18:00:00)  both 4741 and 4743 happen together

Scenario2: the interval between 4741 and 4743 is short (less than 2 second)

how to define SPL for these two scenarios, do we need correlation search?

Labels (1)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-30-2020 08:24 AM

Scenario 1 is fairly easy, scenario 2 can be harder, but maybe not.

Scenario 1: As long as you have a way to separate different "instances" of 4741 and 4743 (e.g. "by user" or something), then

index=foo sourcetype=bar (eventId=4741 OR eventId=4743)
| stats count by _time, <user>
| where count>=2

That's obviously just sort of tossed together pseudocode, but should get you close.  It relies on the timestamps being the same (to second resolution) for two events for the same user.

Scenario 2: some questions.

Are these two events expecting to be in a particular order or might they be in either order?

What's the approximate volume of the source data, and how often they'll match? 

Answers that work really well with a few hundred or thousand events and which can be easily understood, like transaction, are not necessarily the same answers as if there's a few million/billion per day.  For the latter, we may have to sort of "approximate" what "2 seconds apart" means very slightly which will work LOTS faster on bigger data sets but may not quite work as perfectly or at least be as understandable as a simpler, slower solution.

Let me know about those latter questions and I'm sure we can get you moving on that one too.

(Now that I've said that, someone will probably answer it with a generic and good search... 🙂 and that'd be perfect!  Besides, you can give karma to more than one answer!)

Happy Splunking,

Rich

0 Karma
Reply

cyberfan
Explorer
‎09-30-2020 08:45 PM

Hi Ri,

 

Thanks, but the OR condition does not mean the chain of events happen at short time interval, say less than 0.05 seconds, right?

also I want sam account="abc" in event 4741 and sid="xyz"  in event 4743, do you suggest "

(event  id=4741 and sam="abc") or (event id=4743 and sid="xyz") then count>2?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top