Getting Data In

Need to re-create similar data chart within splunk with Windows Event ID's

Engager

Hello everyone,

I'm trying to re-create a similar bar chart as seen below, within splunk.

Example: http://i.imgur.com/9o2ppBB.jpg

As you can see, it would list event ID's, with the count and percentile of events occurred. We have about 38 event ID's that would need be calculated.

Any assistance would be beneficial, as I do not yet quite understand the language splunk speaks.

Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi jagasiab,

try something like this, assuming you have a field for your event ID's called EventCode:

index=* sourcetype="WinEventLog:Security" | stats count AS myCount by EventCode, host | eventstats sum(myCount) as total | eval percent = round(myCount/total, 2)  | fields - total

hope this helps to get you started ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi jagasiab,

try something like this, assuming you have a field for your event ID's called EventCode:

index=* sourcetype="WinEventLog:Security" | stats count AS myCount by EventCode, host | eventstats sum(myCount) as total | eval percent = round(myCount/total, 2)  | fields - total

hope this helps to get you started ...

cheers, MuS

View solution in original post

Engager

Fantastic! That's what I was looking for...It's producing what I want... now I need to figure out how to start narrowing it down per each event code that is required to be audited, and the host the data is incoming from. How would I go about narrowing my search to an couple of event codes to chart out?

Thanks again MuS!

0 Karma

SplunkTrust
SplunkTrust

see my updated answer and please mark this as answered if this answers your question 😉 cheers, MuS

0 Karma

Engager

MuS,

I downloaded and got the app running, cloned the Table with data bars but I apologize I'm still quite new to splunk. I tried modifying the search string in the source of my clone data table, but I'm still not able to pull any results into the charts...

Thanks

0 Karma

SplunkTrust
SplunkTrust

I found some Windows events on my indexer and was able to use this search:

index=* sourcetype="WinEventLog:Security" | top limit=0 EventCode

adapt the search to your needs like different index or maybe sourcetype

0 Karma

Engager

Hi,

Thanks MuS for the reply however I'm going to need a little more assistance, if I can get a search report with the template of what I'm asking, I can probably work my way from there.

Thanks,

0 Karma

SplunkTrust
SplunkTrust

Install this app https://apps.splunk.com/app/1603/ take a closer look at the Table with data bars example and use my provided search in it; this should get you started ...

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!