Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to re-create similar data chart within splunk with Windows Event ID's

jagasiab
Engager
‎12-16-2014 06:13 AM

Hello everyone,

I'm trying to re-create a similar bar chart as seen below, within splunk.

Example: http://i.imgur.com/9o2ppBB.jpg

As you can see, it would list event ID's, with the count and percentile of events occurred. We have about 38 event ID's that would need be calculated.

Any assistance would be beneficial, as I do not yet quite understand the language splunk speaks.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-16-2014 06:19 AM

Hi jagasiab,

try something like this, assuming you have a field for your event ID's called EventCode:

index=* sourcetype="WinEventLog:Security" | stats count AS myCount by EventCode, host | eventstats sum(myCount) as total | eval percent = round(myCount/total, 2)  | fields - total

hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-16-2014 06:19 AM

Hi jagasiab,

try something like this, assuming you have a field for your event ID's called EventCode:

index=* sourcetype="WinEventLog:Security" | stats count AS myCount by EventCode, host | eventstats sum(myCount) as total | eval percent = round(myCount/total, 2)  | fields - total

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

jagasiab
Engager
‎12-17-2014 07:31 AM

Fantastic! That's what I was looking for...It's producing what I want... now I need to figure out how to start narrowing it down per each event code that is required to be audited, and the host the data is incoming from. How would I go about narrowing my search to an couple of event codes to chart out?

Thanks again MuS!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-17-2014 08:04 AM

see my updated answer and please mark this as answered if this answers your question 😉 cheers, MuS

0 Karma
Reply
Solved! Jump to solution

jagasiab
Engager
‎12-17-2014 06:41 AM

MuS,

I downloaded and got the app running, cloned the Table with data bars but I apologize I'm still quite new to splunk. I tried modifying the search string in the source of my clone data table, but I'm still not able to pull any results into the charts...

Thanks

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-17-2014 06:51 AM

I found some Windows events on my indexer and was able to use this search:

index=* sourcetype="WinEventLog:Security" | top limit=0 EventCode

adapt the search to your needs like different index or maybe sourcetype

0 Karma
Reply
Solved! Jump to solution

jagasiab
Engager
‎12-16-2014 08:54 AM

Hi,

Thanks MuS for the reply however I'm going to need a little more assistance, if I can get a search report with the template of what I'm asking, I can probably work my way from there.

Thanks,

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-16-2014 11:44 PM

Install this app https://apps.splunk.com/app/1603/ take a closer look at the Table with data bars example and use my provided search in it; this should get you started ...

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...