https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-each-Windows-event-code-in-my-data/m-p/216428#M63501 <P>What about:</P> <PRE><CODE>host=somehostnames* sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | timechart count(eval(EventCode="21")) AS "Logons" count(eval(EventCode="23")) AS "Logoffs" | eval Difference = (Logons - Logoffs) </CODE></PRE> Mon, 18 Apr 2016 22:04:17 GMT Jeremiah 2016-04-18T22:04:17Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-each-Windows-event-code-in-my-data/m-p/216426#M63499 <P>Hello!</P> <P>I have some Windows event log data with 5 different event codes. I need to count by each of the event codes and then perform basic arithmetic on those counts. For example, event code 21 is logon, event code 23 is logoff. I need to count logons and then logoffs and then subtract logoffs from logons. I can do this all using stats for a 1 time answer, but I really want to be able to dump it into something like timechart so I can see the difference over time (hourly or daily).</P> <P>The best I have right now is the one-time view with Stats:</P> <PRE><CODE>host=somehostnames* sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | stats count(eval(EventCode="21")) AS "Logons", count(eval(EventCode="23")) AS "Logoffs" | eval Difference = (Logons - Logoffs) | stats sum(Difference) </CODE></PRE> <P>Or the timechart with each of the individual event codes:</P> <PRE><CODE>host=somehostnames* sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | timechart count by EventCode </CODE></PRE> <P>Does anyone have any suggestions? Thanks in advance!</P> Mon, 18 Apr 2016 21:29:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-each-Windows-event-code-in-my-data/m-p/216426#M63499 Branden 2016-04-18T21:29:32Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-each-Windows-event-code-in-my-data/m-p/216427#M63500 <P>Add <CODE>| bucket _time span=1h|</CODE> to your first search string to get hourly changes, and for daily do <CODE>| bucket _time span=1d|</CODE></P> <PRE><CODE>host=somehostnames* sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | bucket _time span=1h | stats count(eval(EventCode="21")) AS "Logons", count(eval(EventCode="23")) AS "Logoffs" by _time | eval Difference = (Logons - Logoffs) | table _time Difference </CODE></PRE> Mon, 18 Apr 2016 21:57:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-each-Windows-event-code-in-my-data/m-p/216427#M63500 jensonthottian 2016-04-18T21:57:00Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-each-Windows-event-code-in-my-data/m-p/216428#M63501 <P>What about:</P> <PRE><CODE>host=somehostnames* sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | timechart count(eval(EventCode="21")) AS "Logons" count(eval(EventCode="23")) AS "Logoffs" | eval Difference = (Logons - Logoffs) </CODE></PRE> Mon, 18 Apr 2016 22:04:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-count-of-each-Windows-event-code-in-my-data/m-p/216428#M63501 Jeremiah 2016-04-18T22:04:17Z