topic Re: How can I make a table for multiple Windows Events ? in Splunk Search

How can I make a table for multiple Windows Events ?

itrimble1 — Tue, 09 Jul 2019 18:20:36 GMT

How can I make a table for multiple Windows Events ? This search gives me good results for one Event Code, but I have multiple Event IDs. Trying to do some tuning.

index=wineventlog source=WinEventLog:security EventCode=4624
 | fields _raw 
 | eval esize=len(_raw) 
 | stats count as count avg(esize) as avg 
 | eval bytes=count*avg 
 | eval kb=bytes/1024 
 | eval mb=round(kb/1024,2) 
 | stats values(kb) as KB, values(mb) AS MB

Re: How can I make a table for multiple Windows Events ?

tiagofbmm — Tue, 09 Jul 2019 20:21:48 GMT

How about splitting by EventCode:

 index=wineventlog source=WinEventLog:security 
  | fields _raw 
  | eval esize=len(_raw) 
  | stats count as count avg(esize) as avg by EventCode
  | eval bytes=count*avg 
  | eval kb=bytes/1024 
  | eval mb=round(kb/1024,2) 
  | stats values(kb) as KB, values(mb) AS MB by EventCode

Re: How can I make a table for multiple Windows Events ?

woodcock — Tue, 09 Jul 2019 22:40:14 GMT

Like this:

index=wineventlog source=WinEventLog:security
| fields _raw 
| eval esize=len(_raw) 
| stats count AS count avg(esize) AS avg 
| eval bytes=count*avg 
| eval kb=bytes/1024 
| eval mb=round(kb/1024,2) 
| stats values(kb) AS KB, values(mb) AS MB BY EventCode

Also be aware that convert and has some things to do the bytes->whatever things.