Splunk Search

Is there a better way of searching across a range of EventCodes?

soniquella
Path Finder

Good morning.

I am currently constructing a number of reports showing information relating to our domain controllers.

E.g.
host=domaincontrollers* EventCode=>4944 OR EventCode<=4945 OR EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=4949 OR EventCode=4950 OR EventCode=4951 OR EventCode=4952 OR EventCode=4953 OR EventCode=4954 OR EventCode=4957 OR EventCode=4958

This report should list MPSSVC Rule-Level Policy Changes for the Windows Firewall on the domain controllers.

When there are ranges of event codes available (as above with EventCode 4944-4954) is there a better way to capture all events in a more efficient way?

Many thanks in advance for any help you can offer.

Kind regards,

Rob.

0 Karma

cmerriman
Super Champion

if it is always going to be those eventcodes, host=domaincontrollers* EventCode=>4944 EventCode<=4945should be fine, you shouldn't have to list out all of the other codes.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi soniquella,

For me, the best way to manage situations like yours is to use a lookup table so you can change also in a second time the list of your eventcodes:

  • create a lookup, e.g.: "eventcodes.csv" with one or two columns (two if you need also a description of EventCode) with attention to use the same name of the field (EventCode);
  • modify your search host=domaincontrollers* [ | inputlookup eventcodes.csv | fields EventCode ] | ...

In this way you have in your search all the EventCodes of your lookup with an OR condition.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...