Fairly new to Splunk and I'm starting my deployment off with monitoring Windows Event Logs. I have a list of about 200 specific event log entries that need to be alerted on. What is the best way to go about this? Most Splunk alerts seem very easy to setup, such as "give me any server that has CPU usage above 75%". But in this case, I have a lot of very specific data I need to search for. I was thinking of doing something like the following, but it seems very inefficient.
index="EventLogData" (SourceName="Microsoft-Windows-Service Control Manager" AND EventCode=7036) OR (SourceName="Interactive Services detection" AND EventCode=1000) OR ...(same thing 198 times).
An alternative is to pull all event log entries that occurred over the past minute, then do some regular expression matching on all returned events. Or I can split up the above line into 200 individual searches that run once a minute.
Has anyone had to do something like this before with Splunk? What would be an efficient way to handle alerting on these 200+ specific events? The above is just an example, the Windows events I'm looking for are mostly errors (but not all) and spread across many different sources(Microsoft, HP, various agents, applications, etc). I can probably combine the common sources, but that still leaves me with 50 or so events I need to search for. Any help is appreciated! Thanks.