Dashboards & Visualizations

Is there an app or dashboard to explore WinEventLogs?

nick405060
Motivator

Is there an app or dashboard to search WinEventLogs? https://splunkbase.splunk.com/app/3067 doesn't really let you search your WinEventLogs, it mostly just gives high level metrics

0 Karma
1 Solution

nick405060
Motivator

Here

<form script="wineventlog.js">
  <label>WinEventLog Explorer</label>
  <description></description>

  <search>
    <query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
    </query>
    <earliest>$TIMERANGE1.earliest$</earliest>
    <latest>$TIMERANGE1.latest$</latest>
    <preview>
      <set token="pst_earliest_onChange1">$result.temp_earliest$</set>
      <set token="pst_latest_onChange1">$result.temp_latest$</set>
    </preview>
  </search>
  <search>
    <query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
    </query>
    <preview>
      <set token="eventcodes_query">$result.eventcodes_query$</set>
    </preview>
  </search>

  <row>
    <panel>
      <html>
        <br/>
        <p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
        </p>
        <p>
If <b>search raw data</b> is not selected, these data fields are searched: 
        </p>
        <ul>     
          <li>
            <p>NetworkID -- user, User, Mapped_Name</p>
          </li>
          <li>
            <p>Hostname -- host, src, Caller_Computer_Name</p>
          </li>
          <li>
            <p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
          </li>
        </ul>
        <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Search ($search_count$)</title>
      <input type="time" token="TIMERANGE1">
        <label>Period:</label>
        <default>
          <earliest>@d</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text" token="network_id_onChange">
        <label>NetworkID:</label>
        <default>*</default>
      </input>
      <input type="text" token="host_onChange">
        <label>Hostname or IP:</label>
        <default>*</default>
      </input>
      <input type="checkbox" token="raw_onChange">
        <label></label>
        <choice value="*">Search raw data?</choice>
        <default>junkvalue</default>
      </input>
      <input type="multiselect" token="logs_onChange" id="multiselect_logs">
        <label>Log(s):</label>
        <choice value="All *">All</choice>
        <search>
          <query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
          </query>
        </search>
        <fieldForLabel>log</fieldForLabel>
        <fieldForValue>log</fieldForValue>
        <delimiter>,</delimiter>
        <default>All *</default>
      </input>
      <input type="link" id="submit_button1">
        <label></label>
        <choice value="submit">Submit</choice>
      </input>
      <html depends="$hide$">
        <style>
          #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
            width: 350px !important;
          }
          #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
            width: 350px !important;
            margin-right: auto !important;
          }
          .fieldset .input{
            width:auto !important;
          }
          #submit_button1{
            width:80px !important;
          }
          #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
            width:80px !important;
          }
          #submit_button1  button{
            padding: 6px 15px !important;
            border-radius: 3px !important;
            font-weight: 500 !important;
            background-color: #5cc05c !important;
            border: transparent !important;
            color: #fff !important;
          }
          #submit_button1  button:hover{
            background-color: #40a540 !important;
            border-color: transparent !important;
          }
        </style>
      </html>
      <table>
      <search>
        <query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | 
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
        </query>
        <earliest>$pst_earliest1$</earliest>
        <latest>$pst_latest1$</latest>
        <progress>
          <set token="search_count">$result._count$</set>
        </progress>
        </search>
        <option name="count">5</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

and

 require([
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/simplexml/ready!'
 ], function($,mvc){
     var submittedTokens = mvc.Components.get("submitted");
     $("#submit_button1").click(function(){
         submittedTokens.set("submit_trigger1", ""+Math.random());
         submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
         submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
         submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
         submittedTokens.set("host",submittedTokens.get("host_onChange"));
         submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
         submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
     });
     $(document).on('keyup', function(e){
         if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
             submittedTokens.set("submit_trigger1", ""+Math.random());
             submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
             submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
             submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
             submittedTokens.set("host",submittedTokens.get("host_onChange"));
             submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
             submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
         }
     });
 });

View solution in original post

0 Karma

nick405060
Motivator

Here

<form script="wineventlog.js">
  <label>WinEventLog Explorer</label>
  <description></description>

  <search>
    <query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
    </query>
    <earliest>$TIMERANGE1.earliest$</earliest>
    <latest>$TIMERANGE1.latest$</latest>
    <preview>
      <set token="pst_earliest_onChange1">$result.temp_earliest$</set>
      <set token="pst_latest_onChange1">$result.temp_latest$</set>
    </preview>
  </search>
  <search>
    <query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
    </query>
    <preview>
      <set token="eventcodes_query">$result.eventcodes_query$</set>
    </preview>
  </search>

  <row>
    <panel>
      <html>
        <br/>
        <p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
        </p>
        <p>
If <b>search raw data</b> is not selected, these data fields are searched: 
        </p>
        <ul>     
          <li>
            <p>NetworkID -- user, User, Mapped_Name</p>
          </li>
          <li>
            <p>Hostname -- host, src, Caller_Computer_Name</p>
          </li>
          <li>
            <p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
          </li>
        </ul>
        <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Search ($search_count$)</title>
      <input type="time" token="TIMERANGE1">
        <label>Period:</label>
        <default>
          <earliest>@d</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text" token="network_id_onChange">
        <label>NetworkID:</label>
        <default>*</default>
      </input>
      <input type="text" token="host_onChange">
        <label>Hostname or IP:</label>
        <default>*</default>
      </input>
      <input type="checkbox" token="raw_onChange">
        <label></label>
        <choice value="*">Search raw data?</choice>
        <default>junkvalue</default>
      </input>
      <input type="multiselect" token="logs_onChange" id="multiselect_logs">
        <label>Log(s):</label>
        <choice value="All *">All</choice>
        <search>
          <query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
          </query>
        </search>
        <fieldForLabel>log</fieldForLabel>
        <fieldForValue>log</fieldForValue>
        <delimiter>,</delimiter>
        <default>All *</default>
      </input>
      <input type="link" id="submit_button1">
        <label></label>
        <choice value="submit">Submit</choice>
      </input>
      <html depends="$hide$">
        <style>
          #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
            width: 350px !important;
          }
          #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
            width: 350px !important;
            margin-right: auto !important;
          }
          .fieldset .input{
            width:auto !important;
          }
          #submit_button1{
            width:80px !important;
          }
          #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
            width:80px !important;
          }
          #submit_button1  button{
            padding: 6px 15px !important;
            border-radius: 3px !important;
            font-weight: 500 !important;
            background-color: #5cc05c !important;
            border: transparent !important;
            color: #fff !important;
          }
          #submit_button1  button:hover{
            background-color: #40a540 !important;
            border-color: transparent !important;
          }
        </style>
      </html>
      <table>
      <search>
        <query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | 
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
        </query>
        <earliest>$pst_earliest1$</earliest>
        <latest>$pst_latest1$</latest>
        <progress>
          <set token="search_count">$result._count$</set>
        </progress>
        </search>
        <option name="count">5</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

and

 require([
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/simplexml/ready!'
 ], function($,mvc){
     var submittedTokens = mvc.Components.get("submitted");
     $("#submit_button1").click(function(){
         submittedTokens.set("submit_trigger1", ""+Math.random());
         submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
         submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
         submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
         submittedTokens.set("host",submittedTokens.get("host_onChange"));
         submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
         submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
     });
     $(document).on('keyup', function(e){
         if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
             submittedTokens.set("submit_trigger1", ""+Math.random());
             submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
             submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
             submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
             submittedTokens.set("host",submittedTokens.get("host_onChange"));
             submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
             submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
         }
     });
 });
0 Karma

davvik
Engager

Not sure why but this gives error on line 19, unexpected close of query.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...