Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Is there an app or dashboard to explore WinEventLo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:36 AM
Is there an app or dashboard to search WinEventLogs? https://splunkbase.splunk.com/app/3067 doesn't really let you search your WinEventLogs, it mostly just gives high level metrics
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:38 AM
Here
<form script="wineventlog.js">
<label>WinEventLog Explorer</label>
<description></description>
<search>
<query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
</query>
<earliest>$TIMERANGE1.earliest$</earliest>
<latest>$TIMERANGE1.latest$</latest>
<preview>
<set token="pst_earliest_onChange1">$result.temp_earliest$</set>
<set token="pst_latest_onChange1">$result.temp_latest$</set>
</preview>
</search>
<search>
<query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
</query>
<preview>
<set token="eventcodes_query">$result.eventcodes_query$</set>
</preview>
</search>
<row>
<panel>
<html>
<br/>
<p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
</p>
<p>
If <b>search raw data</b> is not selected, these data fields are searched:
</p>
<ul>
<li>
<p>NetworkID -- user, User, Mapped_Name</p>
</li>
<li>
<p>Hostname -- host, src, Caller_Computer_Name</p>
</li>
<li>
<p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
</li>
</ul>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<title>Search ($search_count$)</title>
<input type="time" token="TIMERANGE1">
<label>Period:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="network_id_onChange">
<label>NetworkID:</label>
<default>*</default>
</input>
<input type="text" token="host_onChange">
<label>Hostname or IP:</label>
<default>*</default>
</input>
<input type="checkbox" token="raw_onChange">
<label></label>
<choice value="*">Search raw data?</choice>
<default>junkvalue</default>
</input>
<input type="multiselect" token="logs_onChange" id="multiselect_logs">
<label>Log(s):</label>
<choice value="All *">All</choice>
<search>
<query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
</query>
</search>
<fieldForLabel>log</fieldForLabel>
<fieldForValue>log</fieldForValue>
<delimiter>,</delimiter>
<default>All *</default>
</input>
<input type="link" id="submit_button1">
<label></label>
<choice value="submit">Submit</choice>
</input>
<html depends="$hide$">
<style>
#multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
width: 350px !important;
}
#multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
width: 350px !important;
margin-right: auto !important;
}
.fieldset .input{
width:auto !important;
}
#submit_button1{
width:80px !important;
}
#submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
width:80px !important;
}
#submit_button1 button{
padding: 6px 15px !important;
border-radius: 3px !important;
font-weight: 500 !important;
background-color: #5cc05c !important;
border: transparent !important;
color: #fff !important;
}
#submit_button1 button:hover{
background-color: #40a540 !important;
border-color: transparent !important;
}
</style>
</html>
<table>
<search>
<query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
</query>
<earliest>$pst_earliest1$</earliest>
<latest>$pst_latest1$</latest>
<progress>
<set token="search_count">$result._count$</set>
</progress>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
and
require([
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
], function($,mvc){
var submittedTokens = mvc.Components.get("submitted");
$("#submit_button1").click(function(){
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
});
$(document).on('keyup', function(e){
if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
}
});
});
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-10-2020
10:38 AM
Here
<form script="wineventlog.js">
<label>WinEventLog Explorer</label>
<description></description>
<search>
<query>
| makeresults | addinfo | eval temp_earliest=info_min_time | eval temp_latest=if(info_max_time="+Infinity",now(),info_max_time)
</query>
<earliest>$TIMERANGE1.earliest$</earliest>
<latest>$TIMERANGE1.latest$</latest>
<preview>
<set token="pst_earliest_onChange1">$result.temp_earliest$</set>
<set token="pst_latest_onChange1">$result.temp_latest$</set>
</preview>
</search>
<search>
<query>
| makeresults | eval initial_logs="$logs$" | eval logs=split(initial_logs,",") | mvexpand logs | rex field=logs " (?<eventcode>.+)" | stats values(eventcode) AS eventcodes | eval eventcodes_query="EventCode=".mvjoin(eventcodes," OR EventCode=")
</query>
<preview>
<set token="eventcodes_query">$result.eventcodes_query$</set>
</preview>
</search>
<row>
<panel>
<html>
<br/>
<p>
Select <b>search raw data</b> to search raw data. <b>Strongly not recommended</b> for time periods greater than 1h.
</p>
<p>
If <b>search raw data</b> is not selected, these data fields are searched:
</p>
<ul>
<li>
<p>NetworkID -- user, User, Mapped_Name</p>
</li>
<li>
<p>Hostname -- host, src, Caller_Computer_Name</p>
</li>
<li>
<p>IP -- Source_Address, Source_Network_Address, Network_Address, Destination_Address</p>
</li>
</ul>
<br/>
</html>
</panel>
</row>
<row>
<panel>
<title>Search ($search_count$)</title>
<input type="time" token="TIMERANGE1">
<label>Period:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="network_id_onChange">
<label>NetworkID:</label>
<default>*</default>
</input>
<input type="text" token="host_onChange">
<label>Hostname or IP:</label>
<default>*</default>
</input>
<input type="checkbox" token="raw_onChange">
<label></label>
<choice value="*">Search raw data?</choice>
<default>junkvalue</default>
</input>
<input type="multiselect" token="logs_onChange" id="multiselect_logs">
<label>Log(s):</label>
<choice value="All *">All</choice>
<search>
<query>
index=wineventlog earliest=-5m latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
</query>
</search>
<fieldForLabel>log</fieldForLabel>
<fieldForValue>log</fieldForValue>
<delimiter>,</delimiter>
<default>All *</default>
</input>
<input type="link" id="submit_button1">
<label></label>
<choice value="submit">Submit</choice>
</input>
<html depends="$hide$">
<style>
#multiselect_logs div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
width: 350px !important;
}
#multiselect_logs div[data-view="splunkjs/mvc/multidropdownview"]{
width: 350px !important;
margin-right: auto !important;
}
.fieldset .input{
width:auto !important;
}
#submit_button1{
width:80px !important;
}
#submit_button1 div[data-component="splunk-core:/splunkjs/mvc/components/LinkList"]{
width:80px !important;
}
#submit_button1 button{
padding: 6px 15px !important;
border-radius: 3px !important;
font-weight: 500 !important;
background-color: #5cc05c !important;
border: transparent !important;
color: #fff !important;
}
#submit_button1 button:hover{
background-color: #40a540 !important;
border-color: transparent !important;
}
</style>
</html>
<table>
<search>
<query>
index=wineventlog (("$network_id$" AND "$host$") AND _time="$raw$") OR (user="*$network_id$*" OR User="*$network_id$*" OR Mapped_Name="*$network_id$*") AND (host="*$host$*" OR src="*$host$*" OR Caller_Computer_Name="*$host$*" OR Source_Address="*$host$*" OR Source_Network_Address="*$host$*" OR Network_Address="*$host$*" OR Destination_Address="*$host$*") $eventcodes_query$ |
eval trigger="$submit_trigger1$" | sort 0 - _time | rename _time AS time | eval time=strftime(time,"%m-%d-%Y %H:%M:%S") | table time source EventCode EventCodeDescription user User Mapped_Name host src Source_Address Caller_Computer_Name Workstation_Name Source_Network_Address Network_Address Destination_Address Keywords Application_Name Process_Name |
streamstats count as temp_count | stats values(*) as * by temp_count | fields - temp_count | table time* source* EventCode* EventCodeDescription* user* User* Mapped_Name* host* src* Source_Address* Caller_Computer_Name* Workstation_Name* Source_Network_Address* Network_Address* Destination_Address* Keywords* Application_Name* Process_Name* | eventstats count as _count
</query>
<earliest>$pst_earliest1$</earliest>
<latest>$pst_latest1$</latest>
<progress>
<set token="search_count">$result._count$</set>
</progress>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
and
require([
'jquery',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
], function($,mvc){
var submittedTokens = mvc.Components.get("submitted");
$("#submit_button1").click(function(){
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
});
$(document).on('keyup', function(e){
if (e.which === 13 || event.keyCode === 13 || event.key === "Enter") {
submittedTokens.set("submit_trigger1", ""+Math.random());
submittedTokens.set("pst_earliest1",submittedTokens.get("pst_earliest_onChange1"));
submittedTokens.set("pst_latest1",submittedTokens.get("pst_latest_onChange1"));
submittedTokens.set("network_id",submittedTokens.get("network_id_onChange"));
submittedTokens.set("host",submittedTokens.get("host_onChange"));
submittedTokens.set("logs",submittedTokens.get("logs_onChange"));
submittedTokens.set("raw",submittedTokens.get("raw_onChange"));
}
});
});
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davvik
Engager
11-14-2023
07:58 AM
Not sure why but this gives error on line 19, unexpected close of query.
Get Updates on the Splunk Community!
More Control Over Your Monitoring Costs with Archived Metrics!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
Updated Team Landing Page in Splunk Observability
We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...
