Hi,
I've run into a problem: Splunk ingests Window's security events in such a way that field names may occur more than once and have different values assigned. (e.g., 'Security_ID' can equate to any of the following: alpha-numeric account SID, actual account name, or even account group) I want to compose a search that compares the SIDs from two different events and gives results if a match is found. Something like:
Search for two events, A & B, occurring within 5 seconds of each other, where A possesses an alpha-numeric SID that exactly matches an alpha-numeric SID listed in event B.
The alpha-numeric value is not known in advance. Any insight on how to do this? Your help is much appreciated!
-Dave
... View more