Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need to get Windows event details

rahul_acc_splun
New Member
‎10-30-2017 11:00 AM

index="wineventlog" sourcetype="wineventlog:security" | search (action=failure OR action=success) | search (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR EventCode=4776) | stats dc(action) as action values(dest) as dest count by user | where action>1
This query is giving me the results for user who has successful success followed by failure but i am not able to check no of failures per destination can you please help me.
I want to have 1 coloum which would have failures number pertaining to user to respective destination.

0 Karma
Reply

niketn
Legend
‎10-30-2017 12:42 PM

@rahul_acc_splunk2, first off you need to tweak your search filters for better performance. Move 2nd and 3rd | search pipes to base search. Filtering results upfront in the base search will boost your query performance, otherwise you will carry unwanted events from one command to the next and then eventually filter them out.

index="wineventlog" sourcetype="wineventlog:security" (action=failure OR action=success) (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR EventCode=4776)

After the filter command pipe the following stats command to get Success or Failure group by destinations and users.

| stats count(eval(action="success")) as SuccessCount count(eval(action="failure")) as FailureCount  by user dest
| search FailureCount>1

Only if you want list of all the destinations and just the count of Success vs Failure by user alone, you can use values(dest) and use by user as aggregate:

| stats count(eval(action="success")) as SuccessCount count(eval(action="failure")) as FailureCount  values(dest) as Destinations by user
| search FailureCount>1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...