Solved: How to write events within 2 minutes of the first ...

Splunk77 · ‎05-09-2023

I am working on a query to report on events generated within 2 minutes of the first event for the same host.

In the following example, I need a query to look for any occurrence of EventType 4697 within two minutes of EventType 4624 for the same ComputerName

ComputerName=x (This is a unique field)

EventType=4624

EventType=4697

Thanks.

VatsalJagani · ‎05-09-2023

@Splunk77 - Have you tried the transaction command like below:

index=<your_index> EventType=4624 OR EventType=4697
| transaction ComputerName startswith="EventType=4624" endswith="EventType=4697" maxspan=2m
| search EventType=4697

I hope this helps!!!

View solution in original post

VatsalJagani · ‎05-09-2023

@Splunk77 - Have you tried the transaction command like below:

index=<your_index> EventType=4624 OR EventType=4697
| transaction ComputerName startswith="EventType=4624" endswith="EventType=4697" maxspan=2m
| search EventType=4697

I hope this helps!!!

Splunk77 · ‎05-09-2023

Running this query and not quite getting the desired results. I have test events generated within a 2 minute window. Expanded maxspan to 5 minutes to capture a larger window.

How to write events within 2 minutes of the first event for the same host?

eval

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!