How to make a search for some analytics with SPL?

10061987 · ‎08-31-2023

Hi,

I need some analytics result in Splunk but i couldn't achieve. Here what i need.

1) Which EventIDs is repeated in which hostnames? I need this count based. EventID, Hostname and Count

2) Which EventIDs is used in which alerts (correleation searches and saved searches)? EventID, Alert Name

3) Which EventIDs triggered which alerts? EventID, Alert Name and count

10061987 · ‎08-31-2023

I tried below search for 2nd question but didn't work.

P.S: In my environment we parsed EventID as EventCode

Please help me..

10061987 · ‎08-31-2023

I found 1. item with this search.

index=wineventlog
| stats count by EventCode, host
| where count > 1
| sort -count
| table EventCode, host, count

I need 2 and 3rd items

Join the Conversation