×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
pt
Engager
Member since: a week ago
Thursday
Community Statistics
Posts 1
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎09-10-2025
View All

Problem in using append to combine correlation rul...

by in Splunk Search
a week ago
a week ago
I am building a correlation search in Splunk ES Cloud 8 using multiple detections combined with append. Each subsearch looks for a specific lateral movement technique (e.g., suspicious scheduled task creation, Kerberos service ticket anomalies, special privileged logons, and rapid authentications). The issue I’m running into is that when I include the “WinEvent Scheduled Task Created Within Public Path” rule (EventCode=4698) as the first search (base search), it doesn’t produce results in the final stats output, even though it returns data when run standalone. When I move it into an append subsearch (e.g., after the Kerberos tickets rule), it shows results correctly. This is my sample search [ search index="wineventlog" EventCode=4698 ... | stats count by Computer, TaskName, TaskContent, SubjectUserName ] | append [ search index="wineventlog" EventCode=4769 ... | bucket span=5m _time | stats dc(ServiceName) ... by _time, IpAddress, TargetUserName ] ... | bucket span=1h _time | stats dc(rule_id) as rule_count ... by _time, user Could anyone confirm if this is the right fix or suggest a better practice?” ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
Thursday
Karma given to
View All