Hi
I captured an event, I want to do a search which the time range is based on the previous captured event time.
For example, I do following search
index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4624 | table _time
this will return me a list of all 4624 events with Account_Name=abc like below
08/24/2017:06:37:11
08/24/2017:09:37:11
......
for each time I want to check whether there is an 4688 event or not in the 5 mins window. to run this manually the search queue will be like this
08/24/2017:06:37:11
index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4688 earliest="08/24/2017:06:37:11" latest="08/24/2017:06:37:11"
08/24/2017:09:37:11
index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4688 earliest="08/24/2017:09:32:11" latest="08/24/2017:09:37:11"
......
I try to do it as subsearch but it does pick the subsearch result as the time range, can anyone give some suggestion please?
index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4688
[ search index=wineventlog source="WinEventLog:Security" Account_Name=guos EventCode=4624
| eval earliest=strftime(_time,"%m/%d/%d:%H:%M:%S")
| eval latest=strftime(_time-600,"%m/%d/%d:%H:%M:%S")
| top limit=1 earliest, latest
| table earliest, latest
]
Unless there are only a very few of these, the method you are requesting will be very inefficient.
Here's a different way to go about it. Basically, you grab all the 4624 and 4688 records that you might need, sort them into _time
(or sometimes reverse _time
) order, then copy the 4688 data forward onto any 4624 events that happen for a 5-minute time window. Finally, you throw away all the 4688s and the 4624s that did not find a 4688, and the results are the data you want.