Dashboards & Visualizations

Is there an app or dashboard to explore WinEventLogs?

nick405060
Motivator

Is there an app or dashboard to search WinEventLogs? https://splunkbase.splunk.com/app/3067 doesn't really let you search your WinEventLogs, it mostly just gives high level metrics

0 Karma
1 Solution

nick405060
Motivator

Here

<form script="wineventlog.js">
  <label>WinEventLog Explorer</label>
  <description></description>

  <search>
    <query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
    </query>
    <earliest>$TIMERANGE1.earliest$</earliest>
    <latest>$TIMERANGE1.latest$</latest>
    <preview>
      <set token="pst_earliest_onChange1">$result.temp_earliest$</set>
      <set token="pst_latest_onChange1">$result.temp_latest$</set>
    </preview>
  </search>
  <search>
    <query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
    </query>
    <preview>
      <set token="eventcodes_query">$result.eventcodes_query$</set>
    </preview>
  </search>

  <row>
    <panel>
      <html>
        <br/>
        <p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
        </p>
        <p>
If <b>search raw data</b> is not selected, these data fields are searched: 
        </p>
        <ul>     
          <li>
            <p>NetworkID -- user, User, Mapped_Name</p>
          </li>
          <li>
            <p>Hostname -- host, src, Caller_Computer_Name</p>
          </li>
          <li>
            <p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
          </li>
        </ul>
        <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Search ($search_count$)</title>
      <input type="time" token="TIMERANGE1">
        <label>Period:</label>
        <default>
          <earliest>@d</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text" token="network_id_onChange">
        <label>NetworkID:</label>
        <default>*</default>
      </input>
      <input type="text" token="host_onChange">
        <label>Hostname or IP:</label>
        <default>*</default>
      </input>
      <input type="checkbox" token="raw_onChange">
        <label></label>
        <choice value="*">Search raw data?</choice>
        <default>junkvalue</default>
      </input>
      <input type="multiselect" token="logs_onChange" id="multiselect_logs">
        <label>Log(s):</label>
        <choice value="All *">All</choice>
        <search>
          <query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
          </query>
        </search>
        <fieldForLabel>log</fieldForLabel>
        <fieldForValue>log</fieldForValue>
        <delimiter>,</delimiter>
        <default>All *</default>
      </input>
      <input type="link" id="submit_button1">
        <label></label>
        <choice value="submit">Submit</choice>
      </input>
      <html depends="$hide$">
        <style>
          #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
            width: 350px !important;
          }
          #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
            width: 350px !important;
            margin-right: auto !important;
          }
          .fieldset .input{
            width:auto !important;
          }
          #submit_button1{
            width:80px !important;
          }
          #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
            width:80px !important;
          }
          #submit_button1  button{
            padding: 6px 15px !important;
            border-radius: 3px !important;
            font-weight: 500 !important;
            background-color: #5cc05c !important;
            border: transparent !important;
            color: #fff !important;
          }
          #submit_button1  button:hover{
            background-color: #40a540 !important;
            border-color: transparent !important;
          }
        </style>
      </html>
      <table>
      <search>
        <query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | 
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
        </query>
        <earliest>$pst_earliest1$</earliest>
        <latest>$pst_latest1$</latest>
        <progress>
          <set token="search_count">$result._count$</set>
        </progress>
        </search>
        <option name="count">5</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

and

 require([
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/simplexml/ready!'
 ], function($,mvc){
     var submittedTokens = mvc.Components.get("submitted");
     $("#submit_button1").click(function(){
         submittedTokens.set("submit_trigger1", ""+Math.random());
         submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
         submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
         submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
         submittedTokens.set("host",submittedTokens.get("host_onChange"));
         submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
         submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
     });
     $(document).on('keyup', function(e){
         if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
             submittedTokens.set("submit_trigger1", ""+Math.random());
             submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
             submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
             submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
             submittedTokens.set("host",submittedTokens.get("host_onChange"));
             submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
             submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
         }
     });
 });

View solution in original post

0 Karma

nick405060
Motivator

Here

<form script="wineventlog.js">
  <label>WinEventLog Explorer</label>
  <description></description>

  <search>
    <query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
    </query>
    <earliest>$TIMERANGE1.earliest$</earliest>
    <latest>$TIMERANGE1.latest$</latest>
    <preview>
      <set token="pst_earliest_onChange1">$result.temp_earliest$</set>
      <set token="pst_latest_onChange1">$result.temp_latest$</set>
    </preview>
  </search>
  <search>
    <query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
    </query>
    <preview>
      <set token="eventcodes_query">$result.eventcodes_query$</set>
    </preview>
  </search>

  <row>
    <panel>
      <html>
        <br/>
        <p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
        </p>
        <p>
If <b>search raw data</b> is not selected, these data fields are searched: 
        </p>
        <ul>     
          <li>
            <p>NetworkID -- user, User, Mapped_Name</p>
          </li>
          <li>
            <p>Hostname -- host, src, Caller_Computer_Name</p>
          </li>
          <li>
            <p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
          </li>
        </ul>
        <br/>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Search ($search_count$)</title>
      <input type="time" token="TIMERANGE1">
        <label>Period:</label>
        <default>
          <earliest>@d</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="text" token="network_id_onChange">
        <label>NetworkID:</label>
        <default>*</default>
      </input>
      <input type="text" token="host_onChange">
        <label>Hostname or IP:</label>
        <default>*</default>
      </input>
      <input type="checkbox" token="raw_onChange">
        <label></label>
        <choice value="*">Search raw data?</choice>
        <default>junkvalue</default>
      </input>
      <input type="multiselect" token="logs_onChange" id="multiselect_logs">
        <label>Log(s):</label>
        <choice value="All *">All</choice>
        <search>
          <query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
          </query>
        </search>
        <fieldForLabel>log</fieldForLabel>
        <fieldForValue>log</fieldForValue>
        <delimiter>,</delimiter>
        <default>All *</default>
      </input>
      <input type="link" id="submit_button1">
        <label></label>
        <choice value="submit">Submit</choice>
      </input>
      <html depends="$hide$">
        <style>
          #multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
            width: 350px !important;
          }
          #multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
            width: 350px !important;
            margin-right: auto !important;
          }
          .fieldset .input{
            width:auto !important;
          }
          #submit_button1{
            width:80px !important;
          }
          #submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
            width:80px !important;
          }
          #submit_button1  button{
            padding: 6px 15px !important;
            border-radius: 3px !important;
            font-weight: 500 !important;
            background-color: #5cc05c !important;
            border: transparent !important;
            color: #fff !important;
          }
          #submit_button1  button:hover{
            background-color: #40a540 !important;
            border-color: transparent !important;
          }
        </style>
      </html>
      <table>
      <search>
        <query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name | 
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
        </query>
        <earliest>$pst_earliest1$</earliest>
        <latest>$pst_latest1$</latest>
        <progress>
          <set token="search_count">$result._count$</set>
        </progress>
        </search>
        <option name="count">5</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

and

 require([
     'jquery',
     'splunkjs/mvc',
     'splunkjs/mvc/simplexml/ready!'
 ], function($,mvc){
     var submittedTokens = mvc.Components.get("submitted");
     $("#submit_button1").click(function(){
         submittedTokens.set("submit_trigger1", ""+Math.random());
         submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
         submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
         submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
         submittedTokens.set("host",submittedTokens.get("host_onChange"));
         submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
         submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
     });
     $(document).on('keyup', function(e){
         if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
             submittedTokens.set("submit_trigger1", ""+Math.random());
             submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
             submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
             submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
             submittedTokens.set("host",submittedTokens.get("host_onChange"));
             submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
             submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
         }
     });
 });
0 Karma

davvik
Engager

Not sure why but this gives error on line 19, unexpected close of query.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...