Alerting

Could someone help me understand this search?

LRathinakumar
Explorer

Hello Guys, 

I am getting confused about this below query,  can anyone help me to understand it.

Actually in the search query there is "AND" commands with the same Field name, I am not getting to know how the "AND" command works here for same field. If its a "OR" command then the query will check for both the values, but where as coming to "AND" command how does it works in the same field name. Can someone help me out regarding this....

index=* source="WinEventLog:Microsoft-Windows-PowerShell/Operational" AND ((EventCode="800" AND EventData="*-ItemProperty*" AND EventData="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND EventData="*DsrmAdminLogonBehavior*") OR (EventCode="4103" AND Payload="*-ItemProperty*" AND Payload="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND Payload="*DsrmAdminLogonBehavior*") OR (EventCode="4104" AND ScriptBlockText="*-ItemProperty*" AND ScriptBlockText="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND ScriptBlockText="*DsrmAdminLogonBehavior*"))

Thanks in advance......

Labels (4)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Firstly, that's a very badly written search 😉

But seriously - because of how splunk indexes data and searches it afterwards, it's a very inefficient way to include a wildcard at the beginning of the  search term - it causes Splunk to scan all the events and not be able to use the pre-built indexes. You can as well just store all your data in a big flat file.

Anyway, your understanding is right - the composite condition searches for events that fulfill all those conditions at the same time which means that EventData contains all those strings at the same time - a single matching event must have all those in the contents.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

1. If you paste a search, please use a code block of preformatted style. And - if possible - indent it. It's easier to read.

2. The AND operator is implied between separate conditions - if there are no operators explicitly placed there, AND is used as if it was placed there. So

a=b c=d e=f

is equivalent to

a=b AND c=d e=f

and equivalent to

a=b AND c=d AND e=f

3. OR has to be explicitly stated and binds the closest conditions with a higher precedence than AND. So

a=b c=d OR e=f

is equal to

a=b AND (c=d OR e=f)

 4. NOT binds the closest following condition with the highest priority. So

a=b OR c=d NOT e=f

is equal to

(a=b OR c=d) AND (NOT e=f)

 5. If in doubt, use parentheses!

6. https://docs.splunk.com/Documentation/SCS/current/Search/Predicates#Logical_operators

0 Karma

LRathinakumar
Explorer

Hello @PickleRick 

 

Thank you for the response and i have understood the AND , OR operators usage. But i mean to ask is in the search query i mentioned in the above it contains the - 

EventData="*-ItemProperty*" AND EventData="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND EventData="*DsrmAdminLogonBehavior*"

Here the same field "EventData" is mentioned three times with different values and is divided with AND operator. So that means the search is looking for all the mentioned values below EventData field in the logs...?

 

Hope you understood my query....

 

thanks in advance....

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Firstly, that's a very badly written search 😉

But seriously - because of how splunk indexes data and searches it afterwards, it's a very inefficient way to include a wildcard at the beginning of the  search term - it causes Splunk to scan all the events and not be able to use the pre-built indexes. You can as well just store all your data in a big flat file.

Anyway, your understanding is right - the composite condition searches for events that fulfill all those conditions at the same time which means that EventData contains all those strings at the same time - a single matching event must have all those in the contents.

LRathinakumar
Explorer

hi @PickleRick 

 

Thank you for the response and thank you for the clarity.

 

I have included the wildcard just for reference and i will replace it with my indexes which are needed to include in the search.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You misunderstood me. I'm not talking about the "index=*" part (which is an inefficient thing but just because you search across all your indexes).

I'm talking about the EventData=*whatever* part.

If you search for something like EventData=whatever or even for EventData=whatever*, Splunk is able to leverage its indexes and chose quickly only those events that have "words" matching your search terms which makes the search much mich faster. If you're searching for "*whatever*" Splunk has no "fixed" thing it can search for so it has to look through all the data it has.

In some cases you can use a search not bound specifically to a single field to restrict the processed events to some subset.

For example, your search contains condition

EventData="*-ItemProperty*"

On it's own it's a very inefficient search since it starts with a wildcard. But since you have a string "ItemProperty*" beginning with a segmenter, you can rework this condition to

ItemProperty* AND EventData="*-ItemProperty*"

This will cause Splunk to restrict its search only to those events in which there is a "word" starting with ItemProperty.

 

0 Karma

LRathinakumar
Explorer

Hi @gcusello 

Thank you for the response and my issue is to understand the search query below with AND boolean operator. In this below search query the AND boolean is used multiple times with the same field name that means the AND boolean is looking for the 2 values in the same log.... if not Please clarify how AND boolean works.

index=* source="WinEventLog:Microsoft-Windows-PowerShell/Operational" AND ((EventCode="800" AND EventData="*-ItemProperty*" AND EventData="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND EventData="*DsrmAdminLogonBehavior*") OR (EventCode="4103" AND Payload="*-ItemProperty*" AND Payload="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND Payload="*DsrmAdminLogonBehavior*") OR (EventCode="4104" AND ScriptBlockText="*-ItemProperty*" AND ScriptBlockText="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND ScriptBlockText="*DsrmAdminLogonBehavior*"))

Thanks in advance

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @LRathinakumar,

You're confusing the AND operator with the OR operator:
if you use OR you take the results for which one of the two conditions occurs, that is, as you say, two values; the AND operator, on the other hand, is a more exclusive condition because you only take the values for which both conditions are true.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @LRathinakumar,

at first AND isn't a command but a boolean operator as OR.

Second time, AND is mandatory only in the eval command, in the search isn't mandatory, so your search will return the same results without ANDs.

The logic is that both the conditions correlated by AND must be verified, if you have  more AND conditions all of them must be verified.

But what's upir issue?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...