Dashboards & Visualizations

I don't know how to name my question :(

Builder

Hello.
For example, I have that http://prntscr.com/inaah0 + the fourth field which will be have name "count"
And what I want to add to this search:
- If we have any events from that list, so it's will be counted
- if there are not any of there events, so the field "count" will be zero

It's need to be like that http://prntscr.com/inbgom

0 Karma
1 Solution

I'll assume the events you're searching have a field called EventCode, just like the field in your lookup file. I'd structure the search like this:

index=whatever_windows_logs sourcetype=probably_windows 
    [| inputlookup audit_filtering_platform_policy_change.csv 
    | fields EventCode 
    | format ] 
| append 
    [| inputlookup audit_filtering_platform_policy_change.csv ] 
| eventstats count by EventCode 
| eval count=count-1 
| stats values(Action) AS Action values(Description) AS Description max(count) AS Count BY EventCode

The first four lines will use the values of EventCodes in your lookup file as a search filter to find all events with matching EventCodes. I then append in the full lookup file and use eventstats to count all instances of each EventCode - but since we appended in the lookup file itself, the count for each type will be exactly 1 higher than the number found in the logs (because it will also count the line from the lookup file), which is why I subtract 1. Finally, I just list out the values for the columns, as desired.

View solution in original post

I'll assume the events you're searching have a field called EventCode, just like the field in your lookup file. I'd structure the search like this:

index=whatever_windows_logs sourcetype=probably_windows 
    [| inputlookup audit_filtering_platform_policy_change.csv 
    | fields EventCode 
    | format ] 
| append 
    [| inputlookup audit_filtering_platform_policy_change.csv ] 
| eventstats count by EventCode 
| eval count=count-1 
| stats values(Action) AS Action values(Description) AS Description max(count) AS Count BY EventCode

The first four lines will use the values of EventCodes in your lookup file as a search filter to find all events with matching EventCodes. I then append in the full lookup file and use eventstats to count all instances of each EventCode - but since we appended in the lookup file itself, the count for each type will be exactly 1 higher than the number found in the logs (because it will also count the line from the lookup file), which is why I subtract 1. Finally, I just list out the values for the columns, as desired.

View solution in original post

Builder

Tnx, it works!

Now i need function "Data Overlay" works only with field "Count". How to do that? How it possible to change search?
https://ibb.co/e2NFxn

0 Karma

SplunkTrust
SplunkTrust

Assuming you want to search your indexed data for values from lookup (e.g. Action="Success" AND Description="Some Description here" AND EventCode="4944" ) and get the count of events, try like this

your base search e.g. index=foo sourcetype=bar.. [| inputlookup audit_filtering_platform_policy_change.csv | table Action Description EventCode ]
| stats count by Action Description EventCode
| append [| inputlookup audit_filtering_platform_policy_change.csv | table Action Description EventCode | eval count=0]
| stats max(count) as count by Action Description EventCode

The subsearch of | inputlookup ... will add values from lookup to your base search (search before first pipe) to only select for values present in the lookup table. The line 2 will get count of events for Action Description EventCode combination. Now it could be missing Action Description EventCode combinations for which there is not data being fetched from your base search. For that, we add rows from lookup using append command, and will set count=0 for those rows. Now there will be duplicate rows for some Action Description EventCode combination (for combinations which has some event counts from base search), so last stats command will condense it to single row with count taken from base search, if available, or use count=0 from append subsearch.

Builder

It's now working, but thank you! 🙂

0 Karma