Hi,
I am trying to make a table that shows the logins outside of business hours, and to show besides if the user had a reason to log in (change request, or incident).
search 1 results in login and failed login events from Windows.
(sourcetype=*:Security ((EventCode=4624 user32 ) OR EventCode=4625) host="*")
| search $t_user$
| eval hour = tonumber(strftime(_time,"%H"))
| eval wknd = tonumber(strftime(_time,"%w"))
| where (hour<=8 or hour>=19) OR (wknd==0 OR wknd==6 )
| table user, _time, src_nt_host, signature
| rename src_nt_host as "Server", signature as "Event details"
Result
user, _time, Server, Event details
john smith 2017-10-12 15:29:44 WIN-BFQE1D An account was successfully logged on
Search 2 results in change requests from a csv
sourcetype="changes"
| search $t_user$
| table changeid, startdate, enddate, changecoordinator
Result
changeid, startdate, enddate, changecoordinator
CR311,2017-10-12 09:30:00,2017-10-12 19:30:00,John Smith
CR312,2017-10-12 22:30:00,2017-10-12 23:00:00,John Smith
The 2 searches have common field user and Change Coordinator, and there can be more changes for 1 user. How can I append the search 2 to search 1 and see the changeids on the same row ?
Final Result:
user, _time, Server, Event details, changeid
john smith,2017-10-12 15:29:44 ,WIN-BFQE1D,An account was successfully logged on,CR311 and CR312
I see there are many commands in splunk to correlate data but I don't know which one would be better for my case.
Thanks!
... View more