Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the same search results as transaction, but with other commands like stats?

sadkha
Path Finder
‎08-26-2014 02:20 PM

Hi All,

I am using a transaction command to group log data by Account Name. I'm particularly interested in any account names that occur for 2 separate events at the same time. I've been able to get this through a transaction command, however the processing time is just way too long. My search is:

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | transaction Account_name startswith=eval(EventCode="4740") endswith=eval(EventCode="4771") maxspan=1m

Would like to see a table showing Account_Name, ComputerName, CallerName,ClientAddress. The first three are available through EventCode=4740, however it does not give me ClientAddress. The 4771 event (occurred at the same time, for same user) will have ClientAddress.

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | transaction Account_name startswith=eval(EventCode="4740") endswith=eval(EventCode="4771") maxspan=1m | table DATE/TIME user Account_Domain ComputerName Caller_Computer_Name Client_Address

The above satisfies what I need but are there alternatives?

0 Karma
Reply

Runals
Motivator
‎08-27-2014 05:10 AM

I'm not logged in but the query I'm building in my head after skimming your post (sorry) looks something like this:

get events | use coalesce() to align fields with different names depending on events if needed | stats dc(date_minute) as same_min values() values() values() by Account_Name | sort -same_min

I say that because in building a single query for a CMDB table generation that aligned fields from 11 sourcetypes across Windows and Linux events I used a combination of coalesce and then stats values() to pull it off. If you use stats w/o values you can end up with multiple lines for one Account_Name. Have used that approach for some Windows queries as well.

0 Karma
Reply

sadkha
Path Finder
‎08-27-2014 06:50 AM

Thanks for the tip! any idea on how I can separate the events by both Account_Name and Time? Right now its aggregating everything for a particular account_name, but I was hoping to see if I could separate them by time, so to only show the 4771 and 4740 events that happened at the same time?

0 Karma
Reply

somesoni2
Revered Legend
‎08-26-2014 06:21 PM

Give this a try and see if it works and works better...

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | streamstats current=f window=1 first(EventCode) as prevEventCode | where prevEventCode!=EventCode | eval sno=1 |accum sno| eval so=ceil(sno/2) | stats min(_time) as start max(_time) as end first(user) as user first(Account_Domain) as Account_Domain first(ComputerName) as ComputerName first(Caller_Computer_Name) as Caller_Computer_Name first(Client_Address) as Client_Address | eval duration=abs(end-start) | where duration<60
0 Karma
Reply

sadkha
Path Finder
‎08-27-2014 05:15 AM

unfortunately the two logs aren't aggregated when i tried this, and nothing came up on the stats tab.

when i used ...| stats values(ComputerName) values(EventCode) values(Client_Address) by "Account_Name" , this grouped the events the way I wanted to, however I was wondering if I could:
a) Get rid of the rows that only had a "4771" event
b) seperate the events by time, so to only show 4771 and 4740 events that occured at the same time by Account_Name

i think streamstats will accomplish this but not sure how to tweak your suggestion to fit this. thanks so much for your help!

0 Karma
Reply

sadkha
Path Finder
‎08-26-2014 03:55 PM

By using that query with the transaction, i get what I need, but was wondering if there were alternative ways to do this?

0 Karma
Reply

sadkha
Path Finder
‎08-26-2014 03:54 PM

Would like to see a table showing Account_Name, ComputerName, CallerName,ClientAddress. The first three are available through EventCode=4740, however it does not give me ClientAddress. The 4771 event (occurred at the same time, for same user) will have ClientAddress.

index=xxx sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:security" (EventCode=4771 AND "Audit Failure") OR "EventCode=4740" | transaction Account_name startswith=eval(EventCode="4740") endswith=eval(EventCode="4771") maxspan=1m | table DATE/TIME user Account_Domain ComputerName Caller_Computer_Name Client_Address

0 Karma
Reply

emiller42
Motivator
‎08-26-2014 03:46 PM

We won't know if what you want is possible unless you tell us what you want. Can you elaborate on what the intended output is?

0 Karma
Reply

sadkha
Path Finder
‎08-26-2014 03:21 PM

I am interested in the logs for EventCode=4740, and would like to find the correlating 4771 event which occurred at the same time for a particular user. By using the transaction command with the maxspan=1m, it pulls in the logs for both events which happened at the same time for a particular user, and then i can pick and choose which fields I want to show in a table, for every User Account.

0 Karma
Reply

somesoni2
Revered Legend
‎08-26-2014 02:29 PM

What aggregation you need to perform? It seems possible to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...