Dashboards & Visualizations

Is there an app or dashboard to explore WinEventLogs?

nick405060
Motivator

Is there an app or dashboard to search WinEventLogs? https://splunkbase.splunk.com/app/3067 doesn't really let you search your WinEventLogs, it mostly just gives high level metrics

0 Karma
1 Solution

nick405060
Motivator

Here

<form script="wineventlog.js">
  <label>WinEventLog Explorer</label>
  <description></description>

  <search>
    <query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
    </query>
    <earliest>$TIMERANGE1.earliest$</earliest>
    <latest>$TIMERANGE1.latest$</latest>
    <preview>
      <set token="pst_earliest_onChange1">$result.temp_earliest$</set>
      <set token="pst_latest_onChange1">$result.temp_latest$</set>
    </preview>
  </search>
  <search>
    <query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
    </query>
    <preview>
      <set token="eventcodes_query">$result.eventcodes_query$</set>
    </preview>
  </search>

  <row>
    <panel>
      <html>
        <br/>
        <p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
        </p>
        <p>
If <b>search raw data</b> is not selected, these data fields are searched: 
        </p>
        <ul>     
          <li>
            <p>NetworkID -- user, User, Mapped_Name</p>
          </li>
          <li>
            <p>Hostname -- host, src, Caller_Computer_Name</p>
          </li>
          <li>
            <p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
          </li>
        </ul>
        <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Search ($search_count$)</title>
      <input type="time" token="TIMERANGE1">
        <label>Period:</label>
        <default>
          <earliest>@d</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text" token="network_id_onChange">
        <label>NetworkID:</label>
        <default>*</default>
      </input>
      <input type="text" token="host_onChange">
        <label>Hostname or IP:</label>
        <default>*</default>
      </input>
      <input type="checkbox" token="raw_onChange">
        <label></label>
        <choice value="*">Search raw data?</choice>
        <default>junkvalue</default>
      </input>
      <input type="multiselect" token="logs_onChange" id="multiselect_logs">
        <label>Log(s):</label>
        <choice value="All *">All</choice>
        <search>
          <query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
          </query>
        </search>
        <fieldForLabel>log</fieldForLabel>
        <fieldForValue>log</fieldForValue>
        <delimiter>,</delimiter>
        <default>All *</default>
      </input>
      <input type="link" id="submit_button1">
        <label></label>
        <choice value="submit">Submit</choice>
      </input>
      <html depends="$hide$">
        <style>
          #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
            width: 350px !important;
          }
          #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
            width: 350px !important;
            margin-right: auto !important;
          }
          .fieldset .input{
            width:auto !important;
          }
          #submit_button1{
            width:80px !important;
          }
          #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
            width:80px !important;
          }
          #submit_button1  button{
            padding: 6px 15px !important;
            border-radius: 3px !important;
            font-weight: 500 !important;
            background-color: #5cc05c !important;
            border: transparent !important;
            color: #fff !important;
          }
          #submit_button1  button:hover{
            background-color: #40a540 !important;
            border-color: transparent !important;
          }
        </style>
      </html>
      <table>
      <search>
        <query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | 
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
        </query>
        <earliest>$pst_earliest1$</earliest>
        <latest>$pst_latest1$</latest>
        <progress>
          <set token="search_count">$result._count$</set>
        </progress>
        </search>
        <option name="count">5</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

and

 require([
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/simplexml/ready!'
 ], function($,mvc){
     var submittedTokens = mvc.Components.get("submitted");
     $("#submit_button1").click(function(){
         submittedTokens.set("submit_trigger1", ""+Math.random());
         submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
         submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
         submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
         submittedTokens.set("host",submittedTokens.get("host_onChange"));
         submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
         submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
     });
     $(document).on('keyup', function(e){
         if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
             submittedTokens.set("submit_trigger1", ""+Math.random());
             submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
             submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
             submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
             submittedTokens.set("host",submittedTokens.get("host_onChange"));
             submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
             submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
         }
     });
 });

View solution in original post

0 Karma

nick405060
Motivator

Here

<form script="wineventlog.js">
  <label>WinEventLog Explorer</label>
  <description></description>

  <search>
    <query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
    </query>
    <earliest>$TIMERANGE1.earliest$</earliest>
    <latest>$TIMERANGE1.latest$</latest>
    <preview>
      <set token="pst_earliest_onChange1">$result.temp_earliest$</set>
      <set token="pst_latest_onChange1">$result.temp_latest$</set>
    </preview>
  </search>
  <search>
    <query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
    </query>
    <preview>
      <set token="eventcodes_query">$result.eventcodes_query$</set>
    </preview>
  </search>

  <row>
    <panel>
      <html>
        <br/>
        <p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
        </p>
        <p>
If <b>search raw data</b> is not selected, these data fields are searched: 
        </p>
        <ul>     
          <li>
            <p>NetworkID -- user, User, Mapped_Name</p>
          </li>
          <li>
            <p>Hostname -- host, src, Caller_Computer_Name</p>
          </li>
          <li>
            <p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
          </li>
        </ul>
        <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Search ($search_count$)</title>
      <input type="time" token="TIMERANGE1">
        <label>Period:</label>
        <default>
          <earliest>@d</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text" token="network_id_onChange">
        <label>NetworkID:</label>
        <default>*</default>
      </input>
      <input type="text" token="host_onChange">
        <label>Hostname or IP:</label>
        <default>*</default>
      </input>
      <input type="checkbox" token="raw_onChange">
        <label></label>
        <choice value="*">Search raw data?</choice>
        <default>junkvalue</default>
      </input>
      <input type="multiselect" token="logs_onChange" id="multiselect_logs">
        <label>Log(s):</label>
        <choice value="All *">All</choice>
        <search>
          <query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
          </query>
        </search>
        <fieldForLabel>log</fieldForLabel>
        <fieldForValue>log</fieldForValue>
        <delimiter>,</delimiter>
        <default>All *</default>
      </input>
      <input type="link" id="submit_button1">
        <label></label>
        <choice value="submit">Submit</choice>
      </input>
      <html depends="$hide$">
        <style>
          #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
            width: 350px !important;
          }
          #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
            width: 350px !important;
            margin-right: auto !important;
          }
          .fieldset .input{
            width:auto !important;
          }
          #submit_button1{
            width:80px !important;
          }
          #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
            width:80px !important;
          }
          #submit_button1  button{
            padding: 6px 15px !important;
            border-radius: 3px !important;
            font-weight: 500 !important;
            background-color: #5cc05c !important;
            border: transparent !important;
            color: #fff !important;
          }
          #submit_button1  button:hover{
            background-color: #40a540 !important;
            border-color: transparent !important;
          }
        </style>
      </html>
      <table>
      <search>
        <query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | 
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
        </query>
        <earliest>$pst_earliest1$</earliest>
        <latest>$pst_latest1$</latest>
        <progress>
          <set token="search_count">$result._count$</set>
        </progress>
        </search>
        <option name="count">5</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

and

 require([
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/simplexml/ready!'
 ], function($,mvc){
     var submittedTokens = mvc.Components.get("submitted");
     $("#submit_button1").click(function(){
         submittedTokens.set("submit_trigger1", ""+Math.random());
         submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
         submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
         submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
         submittedTokens.set("host",submittedTokens.get("host_onChange"));
         submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
         submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
     });
     $(document).on('keyup', function(e){
         if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
             submittedTokens.set("submit_trigger1", ""+Math.random());
             submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
             submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
             submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
             submittedTokens.set("host",submittedTokens.get("host_onChange"));
             submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
             submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
         }
     });
 });
0 Karma

davvik
Engager

Not sure why but this gives error on line 19, unexpected close of query.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...