https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248323#M74102 <P>Is there a way to rename EventCodes xxxx field to "description" in timechart? Here is a sample search:</P> <P>Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security" | timechart count by EventCode</P> <P>Thanks!</P> Tue, 15 Mar 2016 08:31:45 GMT smudge797 2016-03-15T08:31:45Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248323#M74102 <P>Is there a way to rename EventCodes xxxx field to "description" in timechart? Here is a sample search:</P> <P>Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security" | timechart count by EventCode</P> <P>Thanks!</P> Tue, 15 Mar 2016 08:31:45 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248323#M74102 smudge797 2016-03-15T08:31:45Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248324#M74103 <P>Hi <BR /> I rectified use case statement and retry</P> <PRE><CODE> Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security"|eval description=case(EventCode=="4768","A Kerberos authentication ticket (TGT) was requested and User Logged in", EventCode=="4800" , "The workstation was locked" , EventCode=="4801" , "The workstation was unlocked") | timechart count by description </CODE></PRE> Tue, 15 Mar 2016 08:36:23 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248324#M74103 chimell 2016-03-15T08:36:23Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248325#M74104 <P>Thanks but i need the description to be something like:<BR /> 4768 A Kerberos authentication ticket (TGT) was requested <BR /> 4800 The workstation was locked<BR /> 4801 The workstation was unlocked <BR /> 4768 User Logged in</P> <P>Rather than just listing the event codes.</P> Tue, 15 Mar 2016 08:46:51 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248325#M74104 smudge797 2016-03-15T08:46:51Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248326#M74105 <P>you can use <CODE>replace</CODE> command to do it .</P> <P>try like this:</P> <PRE><CODE>... | replace 4800 with "The workstation was locked" in EventCode| replace 4801 with "The workstation was unlocked" in EventCode|..... </CODE></PRE> Tue, 15 Mar 2016 09:48:48 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248326#M74105 fdi01 2016-03-15T09:48:48Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248327#M74106 <P>just retry my new search code above</P> Tue, 15 Mar 2016 10:11:31 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248327#M74106 chimell 2016-03-15T10:11:31Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248328#M74107 <P>Nice! Thanks</P> Tue, 15 Mar 2016 12:11:55 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248328#M74107 smudge797 2016-03-15T12:11:55Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248329#M74108 <P>where are the query that you propose ?</P> Tue, 15 Mar 2016 12:15:23 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248329#M74108 chimell 2016-03-15T12:15:23Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248330#M74109 <P>i ok with Mm chimell where is your answer Mm smudge797<BR /> post your answer because it can help somebody<BR /> thanks.</P> Wed, 16 Mar 2016 08:39:39 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248330#M74109 fdi01 2016-03-16T08:39:39Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248331#M74110 <P>This worked from Chimell. Thanks</P> <P>Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security"|eval description=case(EventCode=="4768","A Kerberos authentication ticket (TGT) was requested and User Logged in", EventCode=="4800" , "The workstation was locked" , EventCode=="4801" , "The workstation was unlocked") | timechart count by description</P> Wed, 16 Mar 2016 08:50:16 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248331#M74110 smudge797 2016-03-16T08:50:16Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248332#M74111 <P>go accept and upvote answer of Mm chimell if you agree Mm smudge797<BR /> thanks.</P> Wed, 16 Mar 2016 09:01:31 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248332#M74111 fdi01 2016-03-16T09:01:31Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248333#M74112 <P>Hi smudge,</P> <P>Did you try CSV lookups ? Check this out</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Addfieldsfromexternaldatasources#CSV_lookup_example">http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Addfieldsfromexternaldatasources#CSV_lookup_example</A></P> <P>Hope it helps!</P> Wed, 16 Mar 2016 13:29:25 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248333#M74112 alemarzu 2016-03-16T13:29:25Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248334#M74113 <P>You should use a csv-Lookup here...</P> <P>Just follow these steps:</P> <OL> <LI>Create a csv-file containing the EventCodes and the Description you could use this site as a reference for the csv: <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx</A></LI> <LI>Upload the csv-file to Splunk via Settings -&gt; Lookups -&gt; Lookup Table files -&gt; New</LI> <LI>optional: Create a lookup-Definition and a automatic lookup for your sourcetype (reference here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources</A>)</LI> <LI>Use the lookup to add the additional knowledge data</LI> </OL> <P>Assuming your csv has the name <CODE>winevents.csv</CODE> and has this structure:</P> <PRE><CODE> EventCode,Description 513,Windows is shutting down 514,An authentication package has been loaded by the Local Security Authority </CODE></PRE> <P>this would be your search:</P> <PRE><CODE> Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security" | lookup winevents.csv EventCode OUTPUT Description | timechart count by Description </CODE></PRE> Wed, 16 Mar 2016 13:49:20 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248334#M74113 DMohn 2016-03-16T13:49:20Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248335#M74114 <P>hi smudge797 <BR /> you say that my answer is good . Now vote it .</P> Tue, 22 Mar 2016 09:30:04 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248335#M74114 chimell 2016-03-22T09:30:04Z https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248336#M74115 <P>hi I am following the guideline but i am facing the error: Could not find all of the specified lookup fields in the lookup table" Please advise</P> Tue, 21 Jun 2016 12:44:21 GMT https://community.splunk.com/t5/Splunk-Search/rename-EventCodes/m-p/248336#M74115 rashid47010 2016-06-21T12:44:21Z