Currently forwarding all Windows Application Logs with even ID 1000 (AppCrash Event) to splunk. Using this search allows me to see what the top crashing applications in my environment are:
EventCode=1000 | top limit=50 Faulting_application_path
My problem is many of these events only a single computer is reporting the event so makes it look like a bigger issue when it's not. Is there a way I can do that same search but only if the "ComputerName" value is not unique? Perhaps even something like | where ComputerName > 5?