×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
pt
Engager
Member since: ‎09-10-2025
‎12-22-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎09-10-2025
Activity Feed
View All

Problem in using append to combine correlation rul...

by in Splunk Search
‎09-10-2025 07:33 PM
‎09-10-2025 07:33 PM
I am building a correlation search in Splunk ES Cloud 8 using multiple detections combined with append. Each subsearch looks for a specific lateral movement technique (e.g., suspicious scheduled task creation, Kerberos service ticket anomalies, special privileged logons, and rapid authentications). The issue I’m running into is that when I include the “WinEvent Scheduled Task Created Within Public Path” rule (EventCode=4698) as the first search (base search), it doesn’t produce results in the final stats output, even though it returns data when run standalone. When I move it into an append subsearch (e.g., after the Kerberos tickets rule), it shows results correctly. This is my sample search [ search index="wineventlog" EventCode=4698 ... | stats count by Computer, TaskName, TaskContent, SubjectUserName ] | append [ search index="wineventlog" EventCode=4769 ... | bucket span=5m _time | stats dc(ServiceName) ... by _time, IpAddress, TargetUserName ] ... | bucket span=1h _time | stats dc(rule_id) as rule_count ... by _time, user Could anyone confirm if this is the right fix or suggest a better practice?” ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-22-2025 09:24 PM
Karma given to
View All