https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-app-or-dashboard-to-explore-WinEventLogs/m-p/482041#M31615 <P>Here</P> <PRE><CODE>&lt;form script="wineventlog.js"&gt; &lt;label&gt;WinEventLog Explorer&lt;/label&gt; &lt;description&gt;&lt;/description&gt; &lt;search&gt; &lt;query&gt; | makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time) &lt;/query&gt; &lt;earliest&gt;$TIMERANGE1.earliest$&lt;/earliest&gt; &lt;latest&gt;$TIMERANGE1.latest$&lt;/latest&gt; &lt;preview&gt; &lt;set token="pst_earliest_onChange1"&gt;$result.temp_earliest$&lt;/set&gt; &lt;set token="pst_latest_onChange1"&gt;$result.temp_latest$&lt;/set&gt; &lt;/preview&gt; &lt;/search&gt; &lt;search&gt; &lt;query&gt; | makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?&lt;eventcode&gt;.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=") &lt;/query&gt; &lt;preview&gt; &lt;set token="eventcodes_query"&gt;$result.eventcodes_query$&lt;/set&gt; &lt;/preview&gt; &lt;/search&gt; &lt;row&gt; &lt;panel&gt; &lt;html&gt; &lt;br/&gt; &lt;p&gt; Select &lt;b&gt;search raw data&lt;/b&gt; to search raw data. &lt;b&gt;Strongly not recommended&lt;/b&gt; for time periods greater than 1h. &lt;/p&gt; &lt;p&gt; If &lt;b&gt;search raw data&lt;/b&gt; is not selected, these data fields are searched: &lt;/p&gt; &lt;ul&gt; &lt;li&gt; &lt;p&gt;NetworkID -- user, User, Mapped_Name&lt;/p&gt; &lt;/li&gt; &lt;li&gt; &lt;p&gt;Hostname -- host, src, Caller_Computer_Name&lt;/p&gt; &lt;/li&gt; &lt;li&gt; &lt;p&gt;IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address&lt;/p&gt; &lt;/li&gt; &lt;/ul&gt; &lt;br/&gt; &lt;/html&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Search ($search_count$)&lt;/title&gt; &lt;input type="time" token="TIMERANGE1"&gt; &lt;label&gt;Period:&lt;/label&gt; &lt;default&gt; &lt;earliest&gt;@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="network_id_onChange"&gt; &lt;label&gt;NetworkID:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="host_onChange"&gt; &lt;label&gt;Hostname or IP:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="checkbox" token="raw_onChange"&gt; &lt;label&gt;&lt;/label&gt; &lt;choice value="*"&gt;Search raw data?&lt;/choice&gt; &lt;default&gt;junkvalue&lt;/default&gt; &lt;/input&gt; &lt;input type="multiselect" token="logs_onChange" id="multiselect_logs"&gt; &lt;label&gt;Log(s):&lt;/label&gt; &lt;choice value="All *"&gt;All&lt;/choice&gt; &lt;search&gt; &lt;query&gt; index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?&lt;logname&gt;.+)" | eval log=logname." ".EventCode | sort 0 log | table log &lt;/query&gt; &lt;/search&gt; &lt;fieldForLabel&gt;log&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;log&lt;/fieldForValue&gt; &lt;delimiter&gt;,&lt;/delimiter&gt; &lt;default&gt;All *&lt;/default&gt; &lt;/input&gt; &lt;input type="link" id="submit_button1"&gt; &lt;label&gt;&lt;/label&gt; &lt;choice value="submit"&gt;Submit&lt;/choice&gt; &lt;/input&gt; &lt;html depends="$hide$"&gt; &lt;style&gt; #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{ width: 350px !important; } #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{ width: 350px !important; margin-right: auto !important; } .fieldset .input{ width:auto !important; } #submit_button1{ width:80px !important; } #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ width:80px !important; } #submit_button1 button{ padding: 6px 15px !important; border-radius: 3px !important; font-weight: 500 !important; background-color: #5cc05c !important; border: transparent !important; color: #fff !important; } #submit_button1 button:hover{ background-color: #40a540 !important; border-color: transparent !important; } &lt;/style&gt; &lt;/html&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt; index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ | eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count &lt;/query&gt; &lt;earliest&gt;$pst_earliest1$&lt;/earliest&gt; &lt;latest&gt;$pst_latest1$&lt;/latest&gt; &lt;progress&gt; &lt;set token="search_count"&gt;$result._count$&lt;/set&gt; &lt;/progress&gt; &lt;/search&gt; &lt;option name="count"&gt;5&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> <P>and</P> <PRE><CODE> require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function($,mvc){ var submittedTokens = mvc.Components.get("submitted"); $("#submit_button1").click(function(){ submittedTokens.set("submit_trigger1", ""+Math.random()); submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1")); submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1")); submittedTokens.set("network_id",submittedTokens.get("network_id_onChange")); submittedTokens.set("host",submittedTokens.get("host_onChange")); submittedTokens.set("logs",submittedTokens.get("logs_onChange")); submittedTokens.set("raw",submittedTokens.get("raw_onChange")); }); $(document).on('keyup', function(e){ if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") { submittedTokens.set("submit_trigger1", ""+Math.random()); submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1")); submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1")); submittedTokens.set("network_id",submittedTokens.get("network_id_onChange")); submittedTokens.set("host",submittedTokens.get("host_onChange")); submittedTokens.set("logs",submittedTokens.get("logs_onChange")); submittedTokens.set("raw",submittedTokens.get("raw_onChange")); } }); }); </CODE></PRE> Fri, 10 Jan 2020 18:38:22 GMT nick405060 2020-01-10T18:38:22Z https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-app-or-dashboard-to-explore-WinEventLogs/m-p/482040#M31614 <P>Is there an app or dashboard to search WinEventLogs? <A href="https://splunkbase.splunk.com/app/3067">https://splunkbase.splunk.com/app/3067</A> doesn't really let you search your WinEventLogs, it mostly just gives high level metrics</P> Fri, 10 Jan 2020 18:36:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-app-or-dashboard-to-explore-WinEventLogs/m-p/482040#M31614 nick405060 2020-01-10T18:36:19Z https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-app-or-dashboard-to-explore-WinEventLogs/m-p/482041#M31615 <P>Here</P> <PRE><CODE>&lt;form script="wineventlog.js"&gt; &lt;label&gt;WinEventLog Explorer&lt;/label&gt; &lt;description&gt;&lt;/description&gt; &lt;search&gt; &lt;query&gt; | makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time) &lt;/query&gt; &lt;earliest&gt;$TIMERANGE1.earliest$&lt;/earliest&gt; &lt;latest&gt;$TIMERANGE1.latest$&lt;/latest&gt; &lt;preview&gt; &lt;set token="pst_earliest_onChange1"&gt;$result.temp_earliest$&lt;/set&gt; &lt;set token="pst_latest_onChange1"&gt;$result.temp_latest$&lt;/set&gt; &lt;/preview&gt; &lt;/search&gt; &lt;search&gt; &lt;query&gt; | makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?&lt;eventcode&gt;.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=") &lt;/query&gt; &lt;preview&gt; &lt;set token="eventcodes_query"&gt;$result.eventcodes_query$&lt;/set&gt; &lt;/preview&gt; &lt;/search&gt; &lt;row&gt; &lt;panel&gt; &lt;html&gt; &lt;br/&gt; &lt;p&gt; Select &lt;b&gt;search raw data&lt;/b&gt; to search raw data. &lt;b&gt;Strongly not recommended&lt;/b&gt; for time periods greater than 1h. &lt;/p&gt; &lt;p&gt; If &lt;b&gt;search raw data&lt;/b&gt; is not selected, these data fields are searched: &lt;/p&gt; &lt;ul&gt; &lt;li&gt; &lt;p&gt;NetworkID -- user, User, Mapped_Name&lt;/p&gt; &lt;/li&gt; &lt;li&gt; &lt;p&gt;Hostname -- host, src, Caller_Computer_Name&lt;/p&gt; &lt;/li&gt; &lt;li&gt; &lt;p&gt;IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address&lt;/p&gt; &lt;/li&gt; &lt;/ul&gt; &lt;br/&gt; &lt;/html&gt; &lt;/panel&gt; &lt;/row&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;Search ($search_count$)&lt;/title&gt; &lt;input type="time" token="TIMERANGE1"&gt; &lt;label&gt;Period:&lt;/label&gt; &lt;default&gt; &lt;earliest&gt;@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="network_id_onChange"&gt; &lt;label&gt;NetworkID:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="text" token="host_onChange"&gt; &lt;label&gt;Hostname or IP:&lt;/label&gt; &lt;default&gt;*&lt;/default&gt; &lt;/input&gt; &lt;input type="checkbox" token="raw_onChange"&gt; &lt;label&gt;&lt;/label&gt; &lt;choice value="*"&gt;Search raw data?&lt;/choice&gt; &lt;default&gt;junkvalue&lt;/default&gt; &lt;/input&gt; &lt;input type="multiselect" token="logs_onChange" id="multiselect_logs"&gt; &lt;label&gt;Log(s):&lt;/label&gt; &lt;choice value="All *"&gt;All&lt;/choice&gt; &lt;search&gt; &lt;query&gt; index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?&lt;logname&gt;.+)" | eval log=logname." ".EventCode | sort 0 log | table log &lt;/query&gt; &lt;/search&gt; &lt;fieldForLabel&gt;log&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;log&lt;/fieldForValue&gt; &lt;delimiter&gt;,&lt;/delimiter&gt; &lt;default&gt;All *&lt;/default&gt; &lt;/input&gt; &lt;input type="link" id="submit_button1"&gt; &lt;label&gt;&lt;/label&gt; &lt;choice value="submit"&gt;Submit&lt;/choice&gt; &lt;/input&gt; &lt;html depends="$hide$"&gt; &lt;style&gt; #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{ width: 350px !important; } #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{ width: 350px !important; margin-right: auto !important; } .fieldset .input{ width:auto !important; } #submit_button1{ width:80px !important; } #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{ width:80px !important; } #submit_button1 button{ padding: 6px 15px !important; border-radius: 3px !important; font-weight: 500 !important; background-color: #5cc05c !important; border: transparent !important; color: #fff !important; } #submit_button1 button:hover{ background-color: #40a540 !important; border-color: transparent !important; } &lt;/style&gt; &lt;/html&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt; index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ | eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count &lt;/query&gt; &lt;earliest&gt;$pst_earliest1$&lt;/earliest&gt; &lt;latest&gt;$pst_latest1$&lt;/latest&gt; &lt;progress&gt; &lt;set token="search_count"&gt;$result._count$&lt;/set&gt; &lt;/progress&gt; &lt;/search&gt; &lt;option name="count"&gt;5&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> <P>and</P> <PRE><CODE> require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function($,mvc){ var submittedTokens = mvc.Components.get("submitted"); $("#submit_button1").click(function(){ submittedTokens.set("submit_trigger1", ""+Math.random()); submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1")); submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1")); submittedTokens.set("network_id",submittedTokens.get("network_id_onChange")); submittedTokens.set("host",submittedTokens.get("host_onChange")); submittedTokens.set("logs",submittedTokens.get("logs_onChange")); submittedTokens.set("raw",submittedTokens.get("raw_onChange")); }); $(document).on('keyup', function(e){ if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") { submittedTokens.set("submit_trigger1", ""+Math.random()); submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1")); submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1")); submittedTokens.set("network_id",submittedTokens.get("network_id_onChange")); submittedTokens.set("host",submittedTokens.get("host_onChange")); submittedTokens.set("logs",submittedTokens.get("logs_onChange")); submittedTokens.set("raw",submittedTokens.get("raw_onChange")); } }); }); </CODE></PRE> Fri, 10 Jan 2020 18:38:22 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-app-or-dashboard-to-explore-WinEventLogs/m-p/482041#M31615 nick405060 2020-01-10T18:38:22Z https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-app-or-dashboard-to-explore-WinEventLogs/m-p/668595#M54724 <P>Not sure why but this gives error on line 19, unexpected close of query.</P> Tue, 14 Nov 2023 15:58:40 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-app-or-dashboard-to-explore-WinEventLogs/m-p/668595#M54724 davvik 2023-11-14T15:58:40Z