- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: output transaction events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
output transaction events
Im using this search for monitoring security events:
source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0)
|table User,Duration(M),ComputerName
I want the output to be:
date, user, Duration, ComputerName
day1 user1 10 comp1.com
day2 user1 17 comp1.com
day3 user1 5 comp1.com
day1 user2 17 comp2.com
day2 user2 11 comp2.com
day3 user2 13 comp2.com
...
Any ideas?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't looked into your logic, but I suppose your question is to include Date also into the grouping? Please try this
sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))
| eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
| convert timeformat="%Y-%m-%d" ctime(_time) AS date
| stats sum(duration) As Duration by date, User, ComputerName
| eval Duration(M)=round((Duration/60), 0)
| table date,User,Duration(M),ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New date column appears but no time. This should be pulled from the event itself right?
This is the format of one event:
03/16/2016 11:03:09 AM
LogName=Security
SourceName=Microsoft Windows Security Auditing
EventCode=4624
EventType=0
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you please try sourcetype instead of source .. (amended the above query). Are you getting some data at all?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! looking good now. 🙂 Could the results be consolidated into a single entry per day?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
definitely. But you are asking it to Split by date, then by user, then by computerName..
So it will do splitting on each of them
if you are thinking to have non-relational data output, you have many other commands to have a single date entry for multiple users,computerName etc..
(Please vote/mark answer if the solution helped) Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah cool thanks!
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
