Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I make a compound search for this Windows event log?

Cboats
New Member
‎03-29-2023 02:48 PM

Hi all,

I hope somebody can help.

I'm looking to create a search based on the following in a Windows event log.  I'm not even sure it's referred to as a compounded search and If that's wrong in the splunk world, what is the correct term?  It seems my googling skills have failed me this time round.

EventID-5145 and RelativeTargetName={srvcsvc or lsarpc or samr} and at least 3 occurences with different RelativeTargetName and Same (Source IP, Port) and SourceUserName not like "*DC*$" within 1 minute

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-29-2023 02:55 PM

Something like

index=your_event_index EventID=5145 RelativeTargetName IN ("srvcsvc","lsarpc","samr") NOT SourceUserName="*DC*$"
| bin _time span=1m
| stats dc(RelativeTargetName) as UniqueTargets by src_ip src_port
| where UniqueTargets=3

Note that the RelativeTargetName search is exact, add wildcards if needed in the IN clause.

Also, you have 3 target names, so you will only have a max of 3 unique targets, maybe I misunderstood your 'at least 3 with different' point.

Adjust the fields to match your data as needed.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...