Splunk Search

output transaction events

Path Finder

Im using this search for monitoring security events:

source="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
|eval User=lower(User)| search NOT User=*$
| transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
|stats sum(duration) As Duration by User, ComputerName
|eval Duration(M)=round((Duration/60), 0) 
|table  User,Duration(M),ComputerName

I want the output to be:

date, user, Duration, ComputerName
day1 user1 10 comp1.com
day2 user1 17 comp1.com
day3 user1 5 comp1.com
day1 user2 17 comp2.com
day2 user2 11 comp2.com
day3 user2 13 comp2.com
...

Any ideas?
Thanks!

0 Karma

Super Champion

I haven't looked into your logic, but I suppose your question is to include Date also into the grouping? Please try this

 sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=4634  Account_Name=*  action=success 
  | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0))  
  | eval User=lower(User)| search NOT User=*$
  | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
  | convert timeformat="%Y-%m-%d" ctime(_time) AS date
  | stats sum(duration) As Duration by date, User, ComputerName
  | eval Duration(M)=round((Duration/60), 0) 
  | table  date,User,Duration(M),ComputerName

Path Finder

New date column appears but no time. This should be pulled from the event itself right?
This is the format of one event:
03/16/2016 11:03:09 AM
LogName=Security
SourceName=Microsoft Windows Security Auditing
EventCode=4624
EventType=0
...

0 Karma

Super Champion

can you please try sourcetype instead of source .. (amended the above query). Are you getting some data at all?

0 Karma

Path Finder

Awesome! looking good now. 🙂 Could the results be consolidated into a single entry per day?

0 Karma

Super Champion

definitely. But you are asking it to Split by date, then by user, then by computerName..
So it will do splitting on each of them

if you are thinking to have non-relational data output, you have many other commands to have a single date entry for multiple users,computerName etc..

(Please vote/mark answer if the solution helped) Cheers.

0 Karma

Path Finder

Yeah cool thanks!

0 Karma