Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Is there an app or dashboard to explore WinEventLo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:36 AM
Is there an app or dashboard to search WinEventLogs? https://splunkbase.splunk.com/app/3067 doesn't really let you search your WinEventLogs, it mostly just gives high level metrics
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:38 AM
Here
<form script="wineventlog.js">
<label>WinEventLog Explorer</label>
<description></description>
<search>
<query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
</query>
<earliest>$TIMERANGE1.earliest$</earliest>
<latest>$TIMERANGE1.latest$</latest>
<preview>
<set token="pst_earliest_onChange1">$result.temp_earliest$</set>
<set token="pst_latest_onChange1">$result.temp_latest$</set>
</preview>
</search>
<search>
<query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
</query>
<preview>
<set token="eventcodes_query">$result.eventcodes_query$</set>
</preview>
</search>
<row>
<panel>
<html>
<br/>
<p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
</p>
<p>
If <b>search raw data</b> is not selected, these data fields are searched:
</p>
<ul>
<li>
<p>NetworkID -- user, User, Mapped_Name</p>
</li>
<li>
<p>Hostname -- host, src, Caller_Computer_Name</p>
</li>
<li>
<p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
</li>
</ul>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<title>Search ($search_count$)</title>
<input type="time" token="TIMERANGE1">
<label>Period:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="network_id_onChange">
<label>NetworkID:</label>
<default>*</default>
</input>
<input type="text" token="host_onChange">
<label>Hostname or IP:</label>
<default>*</default>
</input>
<input type="checkbox" token="raw_onChange">
<label></label>
<choice value="*">Search raw data?</choice>
<default>junkvalue</default>
</input>
<input type="multiselect" token="logs_onChange" id="multiselect_logs">
<label>Log(s):</label>
<choice value="All *">All</choice>
<search>
<query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
</query>
</search>
<fieldForLabel>log</fieldForLabel>
<fieldForValue>log</fieldForValue>
<delimiter>,</delimiter>
<default>All *</default>
</input>
<input type="link" id="submit_button1">
<label></label>
<choice value="submit">Submit</choice>
</input>
<html depends="$hide$">
<style>
#multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
width: 350px !important;
}
#multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
width: 350px !important;
margin-right: auto !important;
}
.fieldset .input{
width:auto !important;
}
#submit_button1{
width:80px !important;
}
#submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
width:80px !important;
}
#submit_button1 button{
padding: 6px 15px !important;
border-radius: 3px !important;
font-weight: 500 !important;
background-color: #5cc05c !important;
border: transparent !important;
color: #fff !important;
}
#submit_button1 button:hover{
background-color: #40a540 !important;
border-color: transparent !important;
}
</style>
</html>
<table>
<search>
<query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
</query>
<earliest>$pst_earliest1$</earliest>
<latest>$pst_latest1$</latest>
<progress>
<set token="search_count">$result._count$</set>
</progress>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
and
require([
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
], function($,mvc){
var submittedTokens = mvc.Components.get("submitted");
$("#submit_button1").click(function(){
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
});
$(document).on('keyup', function(e){
if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
}
});
});
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:38 AM
Here
<form script="wineventlog.js">
<label>WinEventLog Explorer</label>
<description></description>
<search>
<query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
</query>
<earliest>$TIMERANGE1.earliest$</earliest>
<latest>$TIMERANGE1.latest$</latest>
<preview>
<set token="pst_earliest_onChange1">$result.temp_earliest$</set>
<set token="pst_latest_onChange1">$result.temp_latest$</set>
</preview>
</search>
<search>
<query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
</query>
<preview>
<set token="eventcodes_query">$result.eventcodes_query$</set>
</preview>
</search>
<row>
<panel>
<html>
<br/>
<p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
</p>
<p>
If <b>search raw data</b> is not selected, these data fields are searched:
</p>
<ul>
<li>
<p>NetworkID -- user, User, Mapped_Name</p>
</li>
<li>
<p>Hostname -- host, src, Caller_Computer_Name</p>
</li>
<li>
<p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
</li>
</ul>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<title>Search ($search_count$)</title>
<input type="time" token="TIMERANGE1">
<label>Period:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="network_id_onChange">
<label>NetworkID:</label>
<default>*</default>
</input>
<input type="text" token="host_onChange">
<label>Hostname or IP:</label>
<default>*</default>
</input>
<input type="checkbox" token="raw_onChange">
<label></label>
<choice value="*">Search raw data?</choice>
<default>junkvalue</default>
</input>
<input type="multiselect" token="logs_onChange" id="multiselect_logs">
<label>Log(s):</label>
<choice value="All *">All</choice>
<search>
<query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
</query>
</search>
<fieldForLabel>log</fieldForLabel>
<fieldForValue>log</fieldForValue>
<delimiter>,</delimiter>
<default>All *</default>
</input>
<input type="link" id="submit_button1">
<label></label>
<choice value="submit">Submit</choice>
</input>
<html depends="$hide$">
<style>
#multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
width: 350px !important;
}
#multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
width: 350px !important;
margin-right: auto !important;
}
.fieldset .input{
width:auto !important;
}
#submit_button1{
width:80px !important;
}
#submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
width:80px !important;
}
#submit_button1 button{
padding: 6px 15px !important;
border-radius: 3px !important;
font-weight: 500 !important;
background-color: #5cc05c !important;
border: transparent !important;
color: #fff !important;
}
#submit_button1 button:hover{
background-color: #40a540 !important;
border-color: transparent !important;
}
</style>
</html>
<table>
<search>
<query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
</query>
<earliest>$pst_earliest1$</earliest>
<latest>$pst_latest1$</latest>
<progress>
<set token="search_count">$result._count$</set>
</progress>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
and
require([
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
], function($,mvc){
var submittedTokens = mvc.Components.get("submitted");
$("#submit_button1").click(function(){
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
});
$(document).on('keyup', function(e){
if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
}
});
});
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davvik
Engager
11-14-2023
07:58 AM
Not sure why but this gives error on line 19, unexpected close of query.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...
They're back! Join the SplunkTrust and MVP at .conf24
With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...
Enterprise Security Content Update (ESCU) | New Releases
Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...
