Dashboards & Visualizations

add column on a dashboard

jip31
Motivator

hi

i use this code on a count report

index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) | stats count by Type

and i would like to add a column on the report for the 3 sourcename
for example, for index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") i would like to have a Dashboard like this :

SourceName Type Count
McAfee EndPoint Security Avertissement 225
Thanks for your help

Tags (1)
0 Karma

TISKAR
Builder

Hello,

You must add a pipe "|" between stats ans eval try this:

   index="wineventlog" (sourcetype="wineventlog:application" SourceName=*endpoint* SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600  RecordNumber) 
|  stats count by Type SourceName 
| eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents", true(),"OTHERS")
0 Karma

logloganathan
Motivator

yes you can use rename

Please try the below query

index="wineventlog" (sourcetype="wineventlog:application" SourceName="McAfee Endpoint Security" EventCode= Type="Erreur RecordNumber" OR "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement | rename sourcetype as SourceName ) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber | rename sourcetype as SourceName ) | stats count by Type SourceName

0 Karma

jip31
Motivator
index="wineventlog" (sourcetype="wineventlog:application" SourceName=*endpoint* SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600  RecordNumber) | stats count by Type SourceName eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents", true(),"OTHERS")
0 Karma

jip31jip31
Explorer

it"s almost perfect!
for Sheduled tasks operational and scheduled tasks sysmon, i want a name, toto for the first, titi for the second
and i want just erreur Critique for the 4 sourcetype
i try but i dont reach....
thanks

0 Karma

jip31
Motivator

hi

it doesnt works
this is my final code below and the error message :

index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by Type SourceName eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog:") AND Type=="Critique"), "Winevents", true(),"OTHERS")

Error:
Error in 'stats' command: The argument 'SourceName=case(match(SourceName,^McAfee),McAfee, (Type==Avertissement AND match(sourcetype,WinEventLog:Microsoft-Windows-TaskScheduler\/Operational)),Task Scheduler Operational, (match(sourcetype,^WinEventLog:Microsoft-Windows-TaskScheduler\/Operational)),Task Scheduler Sysmon, (match(sourcetype,^WinEventLog:) AND Type==Critique), Winevents, true(),OTHERS)' is invalid

0 Karma

niketn
Legend

@jip31 while you would need to re-post your query using code button 101010 for us to assist you better, based on information seems like you are looking for the following query bases on Splunk case() evaluation function.

<yourBaseSearch>
| stats count by Type SourceName
| eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", 
      (Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", 
      (match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon",
      (match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents",
      true(),"OTHERS")

PS: match() will perform case-sensitive regular expression based pattern match by default. Same event can not match against multiple category i.e. Task Schedular Sysmon will belong to Type other than Avertissement
The true condition in the case() statement works as the default scenario where all unmatched events will be given SourceName as OTHERS. This will also allow you to test whether all case conditions are working as expected or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@jip31 please re-post the SPL in your question/comment with code button (it is one with icon 101010) in the comment text area. You can also type an enter and four spaces before your SPL or use keyboard shortcut Ctrl+K once you have selected the code are. This will prevent special characters in your SPL/Code from being escaped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jip31
Motivator

thanks
BUT
what i need is static field
this my entire request :
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=) OR (sourcetype="wineventlog:" "Type=Critique" RecordNumber) | stats count by Type SourceName

for the first part of the request i want "McAfee" instead "McAfee Endpoint" for the second i want "Task Scheduler Operational" for the third "Task Scheduler Sysmon" and for the last "WinEvents"
so the idea is to rename sourcename or sourcetype or to add a new column with static fields
but i dont know how to do
could you help me please???

0 Karma

logloganathan
Motivator

you can number of dashboard by using the below query

Please try to use the below query

1) index="wineventlog" sourcetype="wineventlog:application" SourceName=endpoint EventCode=* Type="Erreur*" | stats count by type

2)index="wineventlog" sourcetype="wineventlog:application" SourceName="endpoint" OR SourceName="McAfee Endpoint Security" EventCode=* Type="Erreur*" | stats count by SourceName type

3)index="wineventlog" sourcetype="wineventlog:application" EventCode=* Type="Erreur*" | stats count by SourceName

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...