Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EventCode Subsearch

jeradb
Explorer
‎02-22-2024 08:27 AM

I have an application that I am trying to monitor.  There is a specific event code for when the tool is opened to modify the tool (EventCode=250).  There is an EventCode for when it is closed (EventCode=100).  These two codes display a user name, but the events between them do not.  How can I write a search to look for these two events then display the changes between them with the username who completed the change?  

| from datamodel:P3 | search EventCode=250 OR 100 OR 70 OR 80
| eval user = coalesce(User, Active_User)
| eval Event_Time=strftime(_time,"%m/%d/%y %I:%M:%S %P")

| table Event_Time, host,user,Device_Added,Device_SN,Device_ID,EventCode, EventDescription

Event_Time                        host              user      Device_Added      Device_SN       Device_ID      EventCode 
02/22/24 08:49:44 am Test-Com   xxxxx                                                                                                 100
02/21/24 03:59:12 pm Test-Com   xxxxx                                                                                                  250
02/21/24 03:56:08 pm Test-Com   xxxxx                                                                                                  100
02/21/24 03:56:00 pm Test-Com                            USB 1                   12345          PID_1                   70 
02/21/24 03:56:00 pm Test-Com                            USB 2                    6789            PID_2                   70 
02/21/24 03:51:10 pm Test-Com                            USB 1                   12345          PID_1                   80  
02/21/24 03:50:44 pm Test-Com     xxxxx                                                                                                  250

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-22-2024 09:26 AM

If the illustrated fields are all you have, the only link between 250 -> 100 (with user) and the rest of events (without) is host.  I highly doubt if this can be sufficient to determine what a user have done between 250 and 100, unless this tool is strictly single-user and no other things can generate any of these events.

If the tool is single-user only, you can use transaction to group these events together, like

| transaction host startswith="EventCode=250" endswith="EventCode=100"

Once transactions are established, you can then glean completed transactions for event codes that are not 250 and 100.  For example,

| transaction host startswith="EventCode=250" endswith="EventCode=100"​
| stats values(EventCode) as EventCode values(user) as user by host
| eval EventCode = mvfilter(NOT EventCode IN ("250", "100"))

Hope this helps.

Tags (1)
0 Karma
Reply

jeradb
Explorer
‎02-22-2024 12:41 PM

@yuanliu  Is there a way to say if EventCode=70 look upstream for EventCode=250 and join User?  I am only trying to capture who created the event.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-22-2024 01:28 PM

This is very much a question of efficiency.  If you have a relatively small number of event 70 in a short period of time, but event 250 was some long time ago, using subsearch would be more efficient than retrieving both types of events for a long period of time.

You also need to tell us which EventCode's give you User, which give you Active_User.  Assuming that EventCode 250 gives you Active_User but 70 gives you User, you can do something like

| from datamodel:P3
| search EventCode=250 earliest=-1mon ``` earliest value for demonstration purpose only ```
    [from datamodel:P3
    | search EventCode=70 earliest=-1h ``` earliest value for demonstration purpose only ```
    | stats values(User) as Active_User ``` assuming User is present in EventCode 70 to matche Active_User in EventCode 250 ]

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...