Hi,
I've run into a problem: Splunk ingests Window's security events in such a way that field names may occur more than once and have different values assigned. (e.g., 'Security_ID' can equate to any of the following: alpha-numeric account SID, actual account name, or even account group) I want to compose a search that compares the SIDs from two different events and gives results if a match is found. Something like:
Search for two events, A & B, occurring within 5 seconds of each other, where A possesses an alpha-numeric SID that exactly matches an alpha-numeric SID listed in event B.
The alpha-numeric value is not known in advance. Any insight on how to do this? Your help is much appreciated!
-Dave
You probably want to look at a certain SID in the events, either the first or the second, and compare that SID across events. Since the Security_ID is present more than once in these events, Splunk creates what is called a multivalued field. The individual values of the field can be accessed with various functions. You can then build so-called transactions
based on this, e.g.
your search for events | eval sid2 = mvindex(Security_ID, 1) | transaction sid2 maxpause=5s
Read more here;
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Transaction
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
/K
You probably want to look at a certain SID in the events, either the first or the second, and compare that SID across events. Since the Security_ID is present more than once in these events, Splunk creates what is called a multivalued field. The individual values of the field can be accessed with various functions. You can then build so-called transactions
based on this, e.g.
your search for events | eval sid2 = mvindex(Security_ID, 1) | transaction sid2 maxpause=5s
Read more here;
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Transaction
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
/K
Exactly what I needed - thanks again!