Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Is there an app or dashboard to explore WinEventLo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:36 AM
Is there an app or dashboard to search WinEventLogs? https://splunkbase.splunk.com/app/3067 doesn't really let you search your WinEventLogs, it mostly just gives high level metrics
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:38 AM
Here
<form script="wineventlog.js">
<label>WinEventLog Explorer</label>
<description></description>
<search>
<query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
</query>
<earliest>$TIMERANGE1.earliest$</earliest>
<latest>$TIMERANGE1.latest$</latest>
<preview>
<set token="pst_earliest_onChange1">$result.temp_earliest$</set>
<set token="pst_latest_onChange1">$result.temp_latest$</set>
</preview>
</search>
<search>
<query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
</query>
<preview>
<set token="eventcodes_query">$result.eventcodes_query$</set>
</preview>
</search>
<row>
<panel>
<html>
<br/>
<p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
</p>
<p>
If <b>search raw data</b> is not selected, these data fields are searched:
</p>
<ul>
<li>
<p>NetworkID -- user, User, Mapped_Name</p>
</li>
<li>
<p>Hostname -- host, src, Caller_Computer_Name</p>
</li>
<li>
<p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
</li>
</ul>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<title>Search ($search_count$)</title>
<input type="time" token="TIMERANGE1">
<label>Period:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="network_id_onChange">
<label>NetworkID:</label>
<default>*</default>
</input>
<input type="text" token="host_onChange">
<label>Hostname or IP:</label>
<default>*</default>
</input>
<input type="checkbox" token="raw_onChange">
<label></label>
<choice value="*">Search raw data?</choice>
<default>junkvalue</default>
</input>
<input type="multiselect" token="logs_onChange" id="multiselect_logs">
<label>Log(s):</label>
<choice value="All *">All</choice>
<search>
<query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
</query>
</search>
<fieldForLabel>log</fieldForLabel>
<fieldForValue>log</fieldForValue>
<delimiter>,</delimiter>
<default>All *</default>
</input>
<input type="link" id="submit_button1">
<label></label>
<choice value="submit">Submit</choice>
</input>
<html depends="$hide$">
<style>
#multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
width: 350px !important;
}
#multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
width: 350px !important;
margin-right: auto !important;
}
.fieldset .input{
width:auto !important;
}
#submit_button1{
width:80px !important;
}
#submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
width:80px !important;
}
#submit_button1 button{
padding: 6px 15px !important;
border-radius: 3px !important;
font-weight: 500 !important;
background-color: #5cc05c !important;
border: transparent !important;
color: #fff !important;
}
#submit_button1 button:hover{
background-color: #40a540 !important;
border-color: transparent !important;
}
</style>
</html>
<table>
<search>
<query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
</query>
<earliest>$pst_earliest1$</earliest>
<latest>$pst_latest1$</latest>
<progress>
<set token="search_count">$result._count$</set>
</progress>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
and
require([
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
], function($,mvc){
var submittedTokens = mvc.Components.get("submitted");
$("#submit_button1").click(function(){
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
});
$(document).on('keyup', function(e){
if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
}
});
});
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:38 AM
Here
<form script="wineventlog.js">
<label>WinEventLog Explorer</label>
<description></description>
<search>
<query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
</query>
<earliest>$TIMERANGE1.earliest$</earliest>
<latest>$TIMERANGE1.latest$</latest>
<preview>
<set token="pst_earliest_onChange1">$result.temp_earliest$</set>
<set token="pst_latest_onChange1">$result.temp_latest$</set>
</preview>
</search>
<search>
<query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
</query>
<preview>
<set token="eventcodes_query">$result.eventcodes_query$</set>
</preview>
</search>
<row>
<panel>
<html>
<br/>
<p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
</p>
<p>
If <b>search raw data</b> is not selected, these data fields are searched:
</p>
<ul>
<li>
<p>NetworkID -- user, User, Mapped_Name</p>
</li>
<li>
<p>Hostname -- host, src, Caller_Computer_Name</p>
</li>
<li>
<p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
</li>
</ul>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<title>Search ($search_count$)</title>
<input type="time" token="TIMERANGE1">
<label>Period:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="network_id_onChange">
<label>NetworkID:</label>
<default>*</default>
</input>
<input type="text" token="host_onChange">
<label>Hostname or IP:</label>
<default>*</default>
</input>
<input type="checkbox" token="raw_onChange">
<label></label>
<choice value="*">Search raw data?</choice>
<default>junkvalue</default>
</input>
<input type="multiselect" token="logs_onChange" id="multiselect_logs">
<label>Log(s):</label>
<choice value="All *">All</choice>
<search>
<query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
</query>
</search>
<fieldForLabel>log</fieldForLabel>
<fieldForValue>log</fieldForValue>
<delimiter>,</delimiter>
<default>All *</default>
</input>
<input type="link" id="submit_button1">
<label></label>
<choice value="submit">Submit</choice>
</input>
<html depends="$hide$">
<style>
#multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
width: 350px !important;
}
#multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
width: 350px !important;
margin-right: auto !important;
}
.fieldset .input{
width:auto !important;
}
#submit_button1{
width:80px !important;
}
#submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
width:80px !important;
}
#submit_button1 button{
padding: 6px 15px !important;
border-radius: 3px !important;
font-weight: 500 !important;
background-color: #5cc05c !important;
border: transparent !important;
color: #fff !important;
}
#submit_button1 button:hover{
background-color: #40a540 !important;
border-color: transparent !important;
}
</style>
</html>
<table>
<search>
<query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
</query>
<earliest>$pst_earliest1$</earliest>
<latest>$pst_latest1$</latest>
<progress>
<set token="search_count">$result._count$</set>
</progress>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
and
require([
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
], function($,mvc){
var submittedTokens = mvc.Components.get("submitted");
$("#submit_button1").click(function(){
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
});
$(document).on('keyup', function(e){
if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
}
});
});
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davvik
Engager
11-14-2023
07:58 AM
Not sure why but this gives error on line 19, unexpected close of query.
Get Updates on the Splunk Community!
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...
Alerting Best Practices: How to Create Good Detectors
At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...
