Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

I need to get Windows event details

rahul_acc_splun
New Member
‎10-30-2017 11:00 AM

index="wineventlog" sourcetype="wineventlog:security" | search (action=failure OR action=success) | search (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR EventCode=4776) | stats dc(action) as action values(dest) as dest count by user | where action>1
This query is giving me the results for user who has successful success followed by failure but i am not able to check no of failures per destination can you please help me.
I want to have 1 coloum which would have failures number pertaining to user to respective destination.

0 Karma
Reply

niketn
Legend
‎10-30-2017 12:42 PM

@rahul_acc_splunk2, first off you need to tweak your search filters for better performance. Move 2nd and 3rd | search pipes to base search. Filtering results upfront in the base search will boost your query performance, otherwise you will carry unwanted events from one command to the next and then eventually filter them out.

index="wineventlog" sourcetype="wineventlog:security" (action=failure OR action=success) (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR EventCode=4776)

After the filter command pipe the following stats command to get Success or Failure group by destinations and users.

| stats count(eval(action="success")) as SuccessCount count(eval(action="failure")) as FailureCount  by user dest
| search FailureCount>1

Only if you want list of all the destinations and just the count of Success vs Failure by user alone, you can use values(dest) and use by user as aggregate:

| stats count(eval(action="success")) as SuccessCount count(eval(action="failure")) as FailureCount  values(dest) as Destinations by user
| search FailureCount>1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...