Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About charlottelimcl
charlottelimcl
Explorer
Member since:
10-03-2022
03-19-2025
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 10-03-2022 |
Activity Feed
- Posted Re: How to display 2 fields from different sources into a table? on Splunk Search. 03-19-2025 01:24 AM
- Posted Re: How to display 2 fields from different sources into a table? on Splunk Search. 03-18-2025 09:24 PM
- Posted Re: How to display 2 fields from different sources into a table? on Splunk Search. 03-10-2025 01:50 AM
- Posted How to display 2 fields from different sources into a table? on Splunk Search. 03-10-2025 12:56 AM
- Karma Re: Is the following scenario possible? to have a more cost effective solution to onboard sysmon for isoutamo. 01-16-2025 12:27 AM
- Posted Re: Is the following scenario possible? to have a more cost effective solution to onboard sysmon on Getting Data In. 01-15-2025 11:31 PM
- Posted Re: Is the following scenario possible? to have a more cost effective solution to onboard sysmon on Getting Data In. 01-15-2025 10:59 PM
- Posted Is the following scenario possible? to have a more cost effective solution to onboard sysmon on Getting Data In. 01-15-2025 05:52 PM
- Posted Re: How to feed results of a query into another query of a different time and index? on Splunk Search. 10-05-2022 12:55 AM
- Posted Re: How to feed results of a query into another query of a different time and index? on Splunk Search. 10-04-2022 02:56 AM
- Posted Re: How to feed results of a query into another query of a different time and index? on Splunk Search. 10-03-2022 05:59 AM
- Karma Re: How to feed results of a query into another query of a different time and index? for gcusello. 10-03-2022 05:58 AM
- Posted How to feed results of a query into another query of a different time and index? on Splunk Search. 10-03-2022 03:00 AM
- Posted Re: How do I dedup duplicate values including that value itself? on Splunk Search. 10-03-2022 02:50 AM
- Posted How do I dedup duplicate values including that value itself? on Splunk Search. 10-03-2022 02:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-19-2025
01:24 AM
i tried entering this with a slight tweak to the query: index=wineventlog source=wineventlog:security EventCode IN (4663,4688) Process_Name="*welcome.exe"
| stats
earliest(_time) AS _time
values(Object_Name) AS Object_Name
BY ComputerName Process_Name
| table _time ComputerName Object_Name Process_Name Initiating_Process_Name , however this is my result: _time ComputerName Object_Name Process_Name Initiating_Process_Name 2025-03-19 16:00 ABCDE object.exe welcome.exe (blank) I am still not able to get all 3 columns (object name, process name, initiating process name) into the same table.
... View more
03-18-2025
09:24 PM
Many thanks for your reply. Maybe I could add some clarity to the exact results I want: First inner search: index=wineventlog source=wineventlog:security EventCode=4663 Object_Name="*hello.exe" Process_Name="*welcome.exe"
| table _time ComputerName Object_Name Process_Name _time ComputerName Object_Name Process_Name 2025-03-19 12:00:00 ABCDE \ABC\hello.exe welcome.exe Next, when I search EventCode=4688, this is a sample search and outcome: index=wineventlog source=wineventlog:security EventCode=4688 Process_Name="*welcome.exe"
| table _time ComputerName Process_Name Initiating_Process_Name _time ComputerName Process_Name Initiating_Process_Name 2025-03-19 12:00:00 ABCDE welcome.exe cmd.exe WHAT I WANT: I want to feed this into the next search in EventCode=4688 to identify the Process Name and subsequently linking to the Initiating_Process_Name that appear as a result of the above search, i.e. Final outcome I want: _time ComputerName Object_Name Process_Name Initiating_Process_Name 2025-03-19 12:00:00 ABCDE \ABC\hello.exe welcome.exe cmd.exe The issue is, EventCode=4688 only has Process_Name and Initiating_Process_Name and NO Object_Name, while EventCode=4663 only has Object_Name and Process_Name and NO Initiaitng_Process_Name. The common linkingfactor would be the Process_Name to correlate this two events together. How can i do this?
... View more
03-10-2025
01:50 AM
Hi @gcusello , thanks for your advise. I tried running the search below but it takes quite a long time to show results. Furthermore the query does not display Object_Name as needed
... View more
03-10-2025
12:56 AM
Hi all, I have the following query: index=wineventlog source=wineventlog:security EventCode=4688
[search index=wineventlog source=wineventlog:security EventCode=4663 Object_Name="*hello.exe" Process_Name="*welcome.exe"
| fields Account_Name Process_Name
| rename Process_Name as New_Process_Name]
| table _time ComputerName Account_Name New_Process_Name Initiating_Process_Name EventCode=4663 has a field called Object_Name, while EventCode=4688 does not. My end result is that I want to display a table to show the Object_Name column alongside with New_Process_Name and Initiating_Process_Name. The above query identifies the Account_Name and New_Process_Name (of the subsearch) and is fed into the main search to identify the Initiating_Process_Name. I want to be able to include the Object_Name from EventCode=4663 into this table as well. How can i do it?
... View more
Labels
- Labels:
-
subsearch
01-15-2025
11:31 PM
at the moment, the servers are monitored on splunk, but only win event log:security logs are being piped. I want to increase the monitoring capability to include sysmon and powershell logging, but, i do not want sysmon logs from ALL servers to be indexed and searchable, unless a security event warrants a particular server to have its sysmon indexed. i.e. 1. all severs have sysmon enabled 2. splunk's security analytics and detection queries runs in the background to monitor the sysmon, if there are any hits, it creates an alert on splunk and the alert log is indexed. 3. alert is sent to a case management system 4. at the request of the security analyst, he can request to view the sysmon of that particular server and that server' sysmon will be indexed on splunk for the past 5 days. 5. analyst will not be able to view sysmon on splunk for the rest of the servers that are not indexed as it is unrelated to the security event. he can only index the sysmon of a particular server IF he triggers that action from the case management system
... View more
01-15-2025
10:59 PM
Reason for the above is that i have hundreds of servers and if every server has its sysmon log indexed, it will take up a lot of bandwidth, storage space and cost. Hence i am looking to find a possible solution where splunk security detection analytics can run across all servers and triggers an alert for any positive hits, and only at the request of the security analyst, then the sysmon of a particular endpoint of interest will be indexed for the past 5 days for example.
... View more
01-15-2025
05:52 PM
I would like to understand if the following scenario would be possible: 1. Security detection queries/analytics relying on sysmon logs are onboarded and enabled. 2. When the logs of a certain endpoint matches the security analytic, it creates an alert and is sent to a case management system for the analyst to investigate. 3. at this point, the analyst is not able to view the sysmon logs of that particular endpoint. he will need to manually trigger the sysmon log to be indexed from the case management platform, only then he will be able to search the sysmon log on splunk for the past X number of days 4. however, the analyst will not be able to search for sysmon logs of the other unrelated endpoints. In summary, is there a way that we can deploy and have the security detection analytics to monitor and detect across all endpoints, yet only allowing the security analyst to only have the ability to search for the sysmon logs of the endpoint which triggered the alert based on an adhoc request via the case management system?
... View more
Labels
- Labels:
-
indexer
10-05-2022
12:55 AM
Regarding the 0 results, this is my current query: index= useractivitylogs
[search
index=wineventlog EventCode=4725 earliest=-1h latest=now
| eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S")
| stats count as count by username
| where count=1
fields username ] Without inputting any table or running any stats on it, it shows up as 0. Even if i were to change my index to the same as the subsearch index, it is still 0 results. Currently, the subsearch results will list a column of many different usernames. I am trying to troubleshoot as to why running the subsearch results in 0. Will appreciate your help. Thank you
... View more
10-04-2022
02:56 AM
i tried this but it appears that there are 0 results. Also another thing i noticed is when i used the time modifiers, i.e. (earliest=-1h latest=now), it is relative to the time now, instead of relative to the datetime range i chose at the side bar. Is there a way to change the time modifiers to be relative to the datetime selected at the sidebar? Thank you
... View more
10-03-2022
05:59 AM
Thank you, i will try this
... View more
10-03-2022
03:00 AM
Hi all, I am trying to feed results of a query into another of a different time and index and I'm facing issues with this. Context: I want to look for any user activity across my servers on d+1 for list of user accounts which shows up as disabled on the active directory (windows event code=4725). From the search query below, I want to parse the list of usernames where count=1 and look for any user activity on d+1 onwards after earliest(_time) is recorded. index=useractivitylogs [search index=wineventlog EventCode=4725 | eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S") | stats count as count, earliest(timestamp) by username | where count=1] Example: Eventcode 4725 is recorded for these 2 users based on my inner search: Timestamp | User: 5 September 2022 | Anna 10 September 2022 | Betty Then, I want to feed these results to identify any user activity found on any servers on d+1 after the recorded Timestamp. Thank you.
... View more
Labels
- Labels:
-
subsearch
10-03-2022
02:50 AM
Thanks for the reply. I wanted to have the timestamp of the occurrence as well. I went to do more research and apparently I can add this: | stats count as count, earliest(_time) by username | where count=1
... View more
10-03-2022
02:14 AM
Hi everyone, I am new to splunk. I am looking at windows event logs for the EventCode=4725 for all usernames within a week's timeframe. What I want is to remove username results if there are more than 1 count for this eventcode including that username, and then list in a table to show the timestamp and username when the eventcode occurred. Example: Usernames with EventCode=4725 recorded within 1 week: Day 1 10pm : anna Day 1 11pm : betty Day 3 10pm : anna Day 3 1pm : charlie Day 7 2pm : zach Final result I want is: Day 1 11pm : betty Day 3 1pm : charlie Day 7 2pm : zach From the above we have 'anna' removed completely from as her event showed up more than once. This is my original query: index=wineventlog EventCode=4725 | fields * | eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S") | stats count by username | where username = 1 I then realised the problem with using stats count by, because I wouldnt be able to show the timestamp for the results result this is in statistics. I have thought of using dedup to remove duplicate values, but I have not found a way to remove duplicate values including that value itself. Please help. Thank you
... View more
Labels
- Labels:
-
stats
