I am getting different results for the following two queries and I cannot understand why (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*mydomain | eval acctN=mvindex(Account_Name,1) | search acctN=* | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName | search user=myID | append [| inputlookup user_device_logon.csv | search user=myID] | sort 0 user ComputerName | eval earliest=strftime(earliest,"%F"), latest=strftime(latest,"%F") This returns 20 items. But If I revers the order of the component searches: | inputlookup user_device_logon.csv | search user=myID | append [ search (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*mydomain | eval acctN=mvindex(Account_Name,1) | search acctN=* | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName | search user=myID] | sort 0 user ComputerName | eval earliest=strftime(earliest,"%F"), latest=strftime(latest,"%F") This returns 19 items. If I run the two component searches separately, the lookup table returns 19 items and the windows event search returns 1 item. The difference appears to be that the second search does not include the appended search results in the total results. What am I doing wrong here? The second search is supposed to be better since the lookup table will get large and the appended search will usually be small. But it is not better if it prevents the windows search from returning data. ... View more

I am trying to track user/machine logons. To help with this, I created the following query as an accelerated report: (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*.mydomain | eval acctN=mvindex(Account_Name,1) | search acctN=* | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName As an accelerated report this runs quite quickly for most time ranges: a month gives me 23K stats in 12 seconds 90 days gives me 55k stats in 50 seconds. However a YTD is brutal (5 hours. not sure why I let it finish) I figure that I could use this report to do quick research on users/logons that I might see in a new computer/logon alert (to be created). So I built a dashboard with inputs for time, user, ComputerName and tried this: (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=.mydomain TargetAccountName=$user$ ComputerName=$computer$ | eval acctN=mvindex(Account_Name,1) | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName But that runs slower, the one month query goes to 45 seconds. So it looks like the acceleration statistics are at a higher level than the windows index. So then I tried moving my search term to the end. (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=.mydomain | eval acctN=mvindex(Account_Name,1) | bin _time span=1d as date | eval ComputerName=replace(ComputerName,".mydomain","") | eval user=upper(acctN) | eval domain=upper(TargetAccountDomain) | stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type | sort 0 user ComputerName | search user=$user$ ComputerName=$computer$ This runs way better, one month in 5 seconds - which is faster than reporting on a month of everything. But that's even more confusing, since according to the query, I had to summarize a month of everything before I could filter for user and computername. So how are Accelerated Reports indexing their summarized data? And what/why is the best way to filter that data? (also, would this have been a better case for a summary index?) ... View more

Are there best practices when mapping PaloAlto firewall logs to CIM datamodels? One think that I noticed is that Network_Traffic maps anything with tag="network" and tag="communicate". This means all logs of type "start" and "end", which are not filter terms for the Network_Traffic datamodel. It seems to me that the datamodel should only include "end" events to prevent double counting traffic. Is that right? Are there other considerations for how PaloAlto firewall logs should get mapped into Network_Traffic? How about how PaloAloto firewall logs get mapped into other datamodels? -Network_Sessions -Web Are there best practice docs for other log sources getting properly mapped to CIM datamodels? If not, such docs could prove invaluable to a person trying to get their datamodels working properly. This has been bugging me since we implemented Splunk ES. Our professional services consultant thought I should have had an answer for Network_Traffic (we didn't even address others), but without more knowledge of how the datamodels were used, I could not know. ... View more