- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Need to re-create similar data chart within sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
I'm trying to re-create a similar bar chart as seen below, within splunk.
Example: http://i.imgur.com/9o2ppBB.jpg
As you can see, it would list event ID's, with the count and percentile of events occurred. We have about 38 event ID's that would need be calculated.
Any assistance would be beneficial, as I do not yet quite understand the language splunk speaks.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jagasiab,
try something like this, assuming you have a field for your event ID's called EventCode:
index=* sourcetype="WinEventLog:Security" | stats count AS myCount by EventCode, host | eventstats sum(myCount) as total | eval percent = round(myCount/total, 2) | fields - total
hope this helps to get you started ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jagasiab,
try something like this, assuming you have a field for your event ID's called EventCode:
index=* sourcetype="WinEventLog:Security" | stats count AS myCount by EventCode, host | eventstats sum(myCount) as total | eval percent = round(myCount/total, 2) | fields - total
hope this helps to get you started ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fantastic! That's what I was looking for...It's producing what I want... now I need to figure out how to start narrowing it down per each event code that is required to be audited, and the host the data is incoming from. How would I go about narrowing my search to an couple of event codes to chart out?
Thanks again MuS!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see my updated answer and please mark this as answered if this answers your question 😉 cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS,
I downloaded and got the app running, cloned the Table with data bars but I apologize I'm still quite new to splunk. I tried modifying the search string in the source of my clone data table, but I'm still not able to pull any results into the charts...
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found some Windows events on my indexer and was able to use this search:
index=* sourcetype="WinEventLog:Security" | top limit=0 EventCode
adapt the search to your needs like different index or maybe sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks MuS for the reply however I'm going to need a little more assistance, if I can get a search report with the template of what I'm asking, I can probably work my way from there.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Install this app https://apps.splunk.com/app/1603/ take a closer look at the Table with data bars example and use my provided search in it; this should get you started ...
Changes to Splunk Instructor-Led Training Completion Criteria
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
