Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching ranges of event codes from windows event logs

LiquidTension
Path Finder
‎09-25-2013 07:23 AM

A user within my organization was attempting to search for various windows events that indicated that somebody modified a user's acccess on a machine or domain controller. Originally the search being used was the following:

(EventCode > 630 AND EventCode < 640) OR EventCode = 641 OR (EventCode > 647 AND EventCode < 668) OR (EventCode > 4726 AND EventCode < 4736) OR EventCode = 4737 OR (EventCode > 4743 AND EventCode < 4763) OR EventCode = 4764 OR (EventCode > 4782 AND EventCode < 4793)

This was not returning the range of event codes properly.

I modified the search accordingly and came up with this:

index=windows* sourcetype="WinEventLog:Security" (EventCode>="630" AND EventCode<="640") OR EventCode="641" OR (EventCode>="647" AND EventCode<="668") OR (EventCode>="4726" AND EventCode<="4736") OR EventCode="4737" OR (EventCode>="4743" AND EventCode<="4763") OR EventCode="4764" OR (EventCode>="4782" AND EventCode<="4793")

Thought I would share for people.

-Regards

Reply
1 Solution
Solved! Jump to solution
Solution

LiquidTension
Path Finder
‎09-25-2013 07:25 AM

The following search returned more appropriate results for the user.

index=windows* sourcetype="WinEventLog:Security" (EventCode>="630" AND EventCode<="640") OR EventCode="641" OR (EventCode>="647" AND EventCode<="668") OR (EventCode>="4726" AND EventCode<="4736") OR EventCode="4737" OR (EventCode>="4743" AND EventCode<="4763") OR EventCode="4764" OR (EventCode>="4782" AND EventCode<="4793")

View solution in original post

Reply
Solved! Jump to solution

splunknewbie81
Engager
‎09-20-2021 06:44 AM

Sorry to hijack this thread. 

Can someone please explain to me this string?

 

(EventCode>="630" AND EventCode<="640") OR EventCode="641" OR (EventCode>="647" AND EventCode<="668") OR (EventCode>="4726" AND EventCode<="4736") OR EventCode="4737" OR (EventCode>="4743" AND EventCode<="4763") OR EventCode="4764" OR (EventCode>="4782" AND EventCode<="4793")

I don't quite understand the logic behind the search string.

0 Karma
Reply
Solved! Jump to solution
Solution

LiquidTension
Path Finder
‎09-25-2013 07:25 AM

The following search returned more appropriate results for the user.

index=windows* sourcetype="WinEventLog:Security" (EventCode>="630" AND EventCode<="640") OR EventCode="641" OR (EventCode>="647" AND EventCode<="668") OR (EventCode>="4726" AND EventCode<="4736") OR EventCode="4737" OR (EventCode>="4743" AND EventCode<="4763") OR EventCode="4764" OR (EventCode>="4782" AND EventCode<="4793")

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...