- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearches & Joins
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subsearches & Joins
Hi Team,
I'm writing a search that will alert when a user account authenticates and is granted privileges. Our admin-team often use the Remote Control Viewer to remote into assets, and we would like to exclude them. Unfortunately, we don't have a standardised naming convention, so we can exclude some admin accounts, but not all of them.
I want to write a search that takes the Account_Name, and then runs a sub-search to identify whether that Account_Name has been associated with the New_Process_Name of *RemoteControlViewer.exe and, if they have, exclude them.
I've got the below logic and I've played around with multiple types of join and appendcols, but I'm getting nowhere. Can someone help?
sourcetype=WinEventLog:Security (EventCode=4732 OR EventCode=4672) AND (Account_Name!="svc*" Account_Name!="SYSTEM" Account_Name!="*$" Account_Name!="*dmin" Account_Domain="<DOMAIN>")
| join Account_Name
[ search sourcetype=WinEventLog:Security EventCode=4688
| stats values(New_Process_Name) AS NPN by Account_Name
| fields NPN]
| search NOT
[| inputlookup WL_Global
| rename src as Source_Network_Address
| fields Source_Network_Address]
| search NOT
[| inputlookup WL_B_10_104
| fields Account_Name, host]
| fillnull value=N/A Group_Domain Group_Name
| eval Target_Account=mvindex(Security_ID, -0)
| convert ctime(_time) as Time timeformat="%H:%M:%S %d/%m/%y"
| stats values(Account_Domain) as Account_Domain values(NPN) as New_PN values(name) as name values(Group_Name) as Group_Name values(Group_Domain) as Group_Domain by Account_Name host Time
| search New_PN!=*RemoteControlViewer.exe
| fields Time Account_Name host Account_Domain name Group_Name Group_Domain
Any assistance would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think your troubles lie with the join command. Check out the join documentation.
When using the join command, one or more fields must be common between the base search and the sub search. (They are specified right after the join command.) In your case, the specified common field is Account_Name, but the subsearch only returns the field NPN. So there will be no matches.
I think it might be easier here to use a subsearch instead of a join operation. Try it like this:
sourcetype=WinEventLog:Security (EventCode=4732 OR EventCode=4672) AND (Account_Name!="svc*" Account_Name!="SYSTEM" Account_Name!="*$" Account_Name!="*dmin" Account_Domain="<DOMAIN>")
NOT [search sourcetype=WinEventLog:Security EventCode=4688 New_Process_Name="*RemoteControlViewer.exe"
| table Account_Name]
...
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
