How would I search for multiple event IDs ?
sourcetype=wineventlog:security EventCode=631 OR Eventcode=632 OR EventCode=633 .......
Is there a way to combine the eventIDs in one EventCode statement?
Another one (little crude, but more generic)
sourcetype=wineventlog:security [* | head 1 | eval EventCode="631,632,633..add all your want separated by comma" |table EventCode| eval EventCode=split(EventCode,",")| mvexpand EventCode]
Yes, but only for very specific cases.
In the case of your example you could use:
sourcetype=wineventlog:security | regex "EventCode=63[1-3]" |stats count by EventCode ComputerName
Oh come on don't be hurt 🙂
I'm merely stating the problem with the approach. It's still a valid approach but it's important to point out its drawbacks. Between the 3 supplied answers here I believe we've showed what various approaches the user can take. Each of them has its own advantages and disadvantages.
Splunk Answers is free support, and a mess with half solutions. I say if you have a better anwser - then post it. If you can make an answer better then - adjust it.
It is easy to be a critic.