hi
i use this code on a count report
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) | stats count by Type
and i would like to add a column on the report for the 3 sourcename
for example, for index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") i would like to have a Dashboard like this :
SourceName Type Count
McAfee EndPoint Security Avertissement 225
Thanks for your help
Hello,
You must add a pipe "|" between stats ans eval try this:
index="wineventlog" (sourcetype="wineventlog:application" SourceName=*endpoint* SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber)
| stats count by Type SourceName
| eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents", true(),"OTHERS")
yes you can use rename
Please try the below query
index="wineventlog" (sourcetype="wineventlog:application" SourceName="McAfee Endpoint Security" EventCode= Type="Erreur RecordNumber" OR "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement | rename sourcetype as SourceName ) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber | rename sourcetype as SourceName ) | stats count by Type SourceName
index="wineventlog" (sourcetype="wineventlog:application" SourceName=*endpoint* SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by Type SourceName eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents", true(),"OTHERS")
it"s almost perfect!
for Sheduled tasks operational and scheduled tasks sysmon, i want a name, toto for the first, titi for the second
and i want just erreur Critique for the 4 sourcetype
i try but i dont reach....
thanks
hi
it doesnt works
this is my final code below and the error message :
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by Type SourceName eval SourceName=case(match(SourceName,"^McAfee"),"McAfee", (Type=="Avertissement" AND match(sourcetype,"WinEventLog:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational", (match(sourcetype,"^WinEventLog:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon", (match(sourcetype,"^WinEventLog:") AND Type=="Critique"), "Winevents", true(),"OTHERS")
Error:
Error in 'stats' command: The argument 'SourceName=case(match(SourceName,^McAfee),McAfee, (Type==Avertissement AND match(sourcetype,WinEventLog:Microsoft-Windows-TaskScheduler\/Operational)),Task Scheduler Operational, (match(sourcetype,^WinEventLog:Microsoft-Windows-TaskScheduler\/Operational)),Task Scheduler Sysmon, (match(sourcetype,^WinEventLog:) AND Type==Critique), Winevents, true(),OTHERS)' is invalid
@jip31 while you would need to re-post your query using code button 101010
for us to assist you better, based on information seems like you are looking for the following query bases on Splunk case() evaluation function.
<yourBaseSearch>
| stats count by Type SourceName
| eval SourceName=case(match(SourceName,"^McAfee"),"McAfee",
(Type=="Avertissement" AND match(sourcetype,"WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Operational",
(match(sourcetype,"^WinEventLog\:Microsoft-Windows-TaskScheduler\/Operational")),"Task Scheduler Sysmon",
(match(sourcetype,"^WinEventLog\:") AND Type=="Critique"), "Winevents",
true(),"OTHERS")
PS: match()
will perform case-sensitive regular expression based pattern match by default. Same event can not match against multiple category i.e. Task Schedular Sysmon
will belong to Type other than Avertissement
The true condition in the case()
statement works as the default scenario where all unmatched events will be given SourceName as OTHERS
. This will also allow you to test whether all case conditions are working as expected or not.
@jip31 please re-post the SPL in your question/comment with code button
(it is one with icon 101010
) in the comment text area. You can also type an enter and four spaces
before your SPL or use keyboard shortcut Ctrl+K
once you have selected the code are. This will prevent special characters in your SPL/Code from being escaped.
thanks
BUT
what i need is static field
this my entire request :
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=) OR (sourcetype="wineventlog:" "Type=Critique" RecordNumber) | stats count by Type SourceName
for the first part of the request i want "McAfee" instead "McAfee Endpoint" for the second i want "Task Scheduler Operational" for the third "Task Scheduler Sysmon" and for the last "WinEvents"
so the idea is to rename sourcename or sourcetype or to add a new column with static fields
but i dont know how to do
could you help me please???
you can number of dashboard by using the below query
Please try to use the below query
1) index="wineventlog" sourcetype="wineventlog:application" SourceName=endpoint EventCode=* Type="Erreur*" | stats count by type
2)index="wineventlog" sourcetype="wineventlog:application" SourceName="endpoint" OR SourceName="McAfee Endpoint Security" EventCode=* Type="Erreur*" | stats count by SourceName type
3)index="wineventlog" sourcetype="wineventlog:application" EventCode=* Type="Erreur*" | stats count by SourceName