×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
SplunkNewbie132
New Member
Member since: ‎09-04-2022
‎09-04-2022
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-04-2022
View All

Re: Help with Searching Events with different OS ...

by SplunkTrust in Splunk Search
‎09-04-2022 11:59 PM
‎09-04-2022 11:59 PM
Hi @SplunkNewbie132, you can use the solution from @yuanliu or use a more structured solution. You should create an eventtype for each data source, e.g. for Windows EventID 4625 has fail password from ssh per minute sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" Account_Name=client1 failed password* and for Linux; index=* sourcetype="wineventlog:security" OR source="/var/log/auth.log" host="CLIENT1-DESKTOP" OR host="client3-kali" OR user=* failed password* then you can run a simpler search like this: eventtype=windows OR eventtype=linux | bucket span=1m _time | stats values(EventCode) AS EventCode by _time host source Obviously there are fields (as EventCode9 that are present in only one OS so they will be empty in the linux rows. If you have fields with the same content but different name (e.g. process and Caller_Process_Name) you can use a rename or an alias: eventtype=windows OR eventtype=linux | bucket span=1m _time | stats values(EventCode) AS EventCode by _time host source | eval Caller_Process_Name=coalesce(process,Caller_Process_Name) Ciao. Giuseppe   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-04-2022 11:21 AM