Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alerting on Windows Event Logs

srubik
New Member
‎02-26-2013 05:43 AM

Fairly new to Splunk and I'm starting my deployment off with monitoring Windows Event Logs. I have a list of about 200 specific event log entries that need to be alerted on. What is the best way to go about this? Most Splunk alerts seem very easy to setup, such as "give me any server that has CPU usage above 75%". But in this case, I have a lot of very specific data I need to search for. I was thinking of doing something like the following, but it seems very inefficient.

index="EventLogData" (SourceName="Microsoft-Windows-Service Control Manager" AND EventCode=7036) OR (SourceName="Interactive Services detection" AND EventCode=1000) OR ...(same thing 198 times).

An alternative is to pull all event log entries that occurred over the past minute, then do some regular expression matching on all returned events. Or I can split up the above line into 200 individual searches that run once a minute.

Has anyone had to do something like this before with Splunk? What would be an efficient way to handle alerting on these 200+ specific events? The above is just an example, the Windows events I'm looking for are mostly errors (but not all) and spread across many different sources(Microsoft, HP, various agents, applications, etc). I can probably combine the common sources, but that still leaves me with 50 or so events I need to search for. Any help is appreciated! Thanks.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-26-2013 10:09 AM

You could define an eventtype for this: http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Defineeventtypes

Alternatively tags should work as well: http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Defineandusetags

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...