Splunk Enterprise Security

How to get the data in groups for a particular set of data?

gndivya
Explorer

Hi,

I have 2 sets of data as below.

Set1
User1 dest1 Time1 EventCode-4722
User1 dest1 Time2 EventCode-4726
User1 dest1 Time3 EventCode-4722
User1 dest1 Time4 EventCode-4726
User1 dest1 Time5 EventCode-4722

Set2
User2 dest2 Time1 EventCode-4726
User2 dest2 Time2 EventCode-4722
User2 dest2 Time3 EventCode-4726

I need to get all the complete set (includes other fields) of data which starts with Event code 4722 and ends with 4726. How can I achieve this?

I want data as
set 1
User1 dest1 Time1 EventCode-4722
User1 dest1 Time2 EventCode-4726

set 2
User1 dest1 Time3 EventCode-4722
User1 dest1 Time4 EventCode-4726

set3
User2 dest2 Time2 EventCode-4722
User2 dest2 Time3 EventCode-4726

Please help. thanks in advance.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@gndivya

Can you please try this?

YOUR_SEARCH | transaction endswith=EventCode="EventCode-4722" 
| where linecount=2 
| eval tmp=mvzip(Time,EventCode) 
| mvexpand tmp 
| eval Time=mvindex(split(tmp,","),0),EventCode=mvindex(split(tmp,","),1) 
| table User Dest Time EventCode

Sample Search:

| makeresults count=5 
| eval a=1 
| accum a 
| eval User="User1", Dest="dest1",Time="Time".a , c=a%2, EventCode="EventCode-".if(c==1,4722,4726) 
| table _time User Dest Time EventCode 
| rename comment as "Upto this is for data generation only" 
| transaction endswith=EventCode="EventCode-4722" 
| where linecount=2 
| eval tmp=mvzip(Time,EventCode) 
| mvexpand tmp 
| eval Time=mvindex(split(tmp,","),0),EventCode=mvindex(split(tmp,","),1) 
| table User Dest Time EventCode



| makeresults count=3 
| eval a=1 
| accum a 
| eval User="User2", Dest="dest2",Time="Time".a , c=a%2, EventCode="EventCode-".if(c==1,4726,4722) 
| table _time User Dest Time EventCode
| rename comment as "Upto this is for data generation only"
| transaction endswith=EventCode="EventCode-4722" 
| where linecount=2 
| eval tmp=mvzip(Time,EventCode) 
| mvexpand tmp 
| eval Time=mvindex(split(tmp,","),0),EventCode=mvindex(split(tmp,","),1) 
| table User Dest Time EventCode
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...