Splunk Search

How to generate a search to display results only for a COMBINATION of events?

kalik
Explorer

Hi guys,

I'm trying to do a search that would return results only for a combination of 2 events. I'm specifically looking for successful logins EventCode=4624 and only show results if for the host has had both interactive Logon_Type=2 and remote Logon_Type=10 logins. I tried my luck with transaction and dedup but to no luck. Any suggestions?

Example:

Host 1 Login, Remote
Host 2 Login, Remote
Host 2 Login, Remote
Host 1 Login, Interactive
Host 3 Login, Interactive
Host 4 Login, Remote
Host 4 Login, Interactive

This would ideally just return info on Host 1 and Host 4 because they have both interactive and remote logons, while Host 2 has only remote and Host 3 has only interactive.

Ideally the result would be just a table of hosts and possibly timestamps of the logins.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

How about this

index=foo sourcetype=bar EventCode=4624 Logon_Type=2 OR Logon_Type=10  | stats values(Logon_Type) as Logon_Types by host | where mvcount(Logon_Types)=2

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

How about this

index=foo sourcetype=bar EventCode=4624 Logon_Type=2 OR Logon_Type=10  | stats values(Logon_Type) as Logon_Types by host | where mvcount(Logon_Types)=2

kalik
Explorer

Thanks a lot somesoni2, that worked exactly like I wanted it to do, and such a simple and elegant solution too! Thanks again!

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi kalik,

I think you can use the mvcombine command to combine different login values pertaining to the same host into a single multivalue field. Assuming login is your field name, you can use the following example:

... | mvcombine delim=";" login 

After that, you can easily search for the multivalue login field for your login type and return the hostnames properly.

Hope this helps. Thanks!
Hunter

0 Karma

kalik
Explorer

Thanks Hunter, that didn't exactly worked the way I wanted it to, but thank you for the suggestion!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...