Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch? Transaction? I'm not sure

MrWh1t3
Path Finder
‎10-02-2012 11:31 PM

All,

I'm not sure what type of search I need to use...

What I would like to do is the following;

Search for EventId 4688, 4624, 4672, 4688, 4689 all within a few seconds.

I can't seem to get it to work using transaction.

Here is what I have just as a test:

source="WinEventLog:Security" * |transaction "EventCode=4688" "EventCode=4689" maxspan=30s maxpause=5s

I would think I should get something back from this as it's a simple, Process Created, Process Exited.

Make sense?

This is where I got the idea - http://www.sysforensics.org/2012/04/splunk-and-malware-fun.html

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-03-2012 12:03 AM

What did you try that did not work?

transaction sounds like exactly what you should use. Something like:

EventId=4688 OR EventId=4624 OR EventId=4672 OR EventId=4688 OR EventId=4689| transaction maxspan=10s | search EventId=4688 AND EventId=4624 AND EventId=4672 AND EventId=4688 AND EventId=4689

This retrieves all the events of interest, then puts them together in transactions spanning max 10 seconds (you might want to perform this transaction on a field as well, like host, to avoid events from different sources overlapping each other), and finally searches for transactions that contain all the EventId's.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-03-2012 12:03 AM

What did you try that did not work?

transaction sounds like exactly what you should use. Something like:

EventId=4688 OR EventId=4624 OR EventId=4672 OR EventId=4688 OR EventId=4689| transaction maxspan=10s | search EventId=4688 AND EventId=4624 AND EventId=4672 AND EventId=4688 AND EventId=4689

This retrieves all the events of interest, then puts them together in transactions spanning max 10 seconds (you might want to perform this transaction on a field as well, like host, to avoid events from different sources overlapping each other), and finally searches for transactions that contain all the EventId's.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...