Splunk Search

output transaction events

smudge797
Path Finder

Im using this search for monitoring security events:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName

I want the output to be:

date, user, Duration, ComputerName
day1 user1 10 comp1.com
day2 user1 17 comp1.com
day3 user1 5 comp1.com
day1 user2 17 comp2.com
day2 user2 11 comp2.com
day3 user2 13 comp2.com
...

Any ideas?
Thanks!

0 Karma

koshyk
Super Champion

I haven't looked into your logic, but I suppose your question is to include Date also into the grouping? Please try this

 sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
  | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
  | eval User=lower(User)| search NOT User=*$
  | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
  | convert timeformat="%Y-%m-%d" ctime(_time) AS date
  | stats sum(duration) As Duration by date, User, ComputerName
  | eval Duration(M)=round((Duration/60), 0) 
  | table  date,User,Duration(M),ComputerName

smudge797
Path Finder

New date column appears but no time. This should be pulled from the event itself right?
This is the format of one event:
03/16/2016 11:03:09 AM
LogName=Security
SourceName=Microsoft Windows Security Auditing
EventCode=4624
EventType=0
...

0 Karma

koshyk
Super Champion

can you please try sourcetype instead of source .. (amended the above query). Are you getting some data at all?

0 Karma

smudge797
Path Finder

Awesome! looking good now. 🙂 Could the results be consolidated into a single entry per day?

0 Karma

koshyk
Super Champion

definitely. But you are asking it to Split by date, then by user, then by computerName..
So it will do splitting on each of them

if you are thinking to have non-relational data output, you have many other commands to have a single date entry for multiple users,computerName etc..

(Please vote/mark answer if the solution helped) Cheers.

0 Karma

smudge797
Path Finder

Yeah cool thanks!

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...