Reporting

How to extract some sourcename of a report?

jip31jip31
Explorer

hi,
I use this report request but I would like some sourcenames to not appear in the result.
Their name is:

Microsoft-Windows-Sysmon

Microsoft-Windows-TaskScheduler
PowerShell
MacAFee Endpoint Security

Thanks for your help

index="*" sourcetype="wineventlog:*" EventCode=* Type="*" | stats count by SourceName Type
0 Karma
1 Solution

kmaron
Motivator
index="" sourcetype="wineventlog:" EventCode= Type="" | stats count by SourceName Type | fields - SourceName

You can remove a field from your result using the fields command and a minus

View solution in original post

0 Karma

kmaron
Motivator

specify which sourcenames you do not want in the initial search:

index="*" sourcetype="wineventlog:*" EventCode=* Type="*" SourceName!="Microsoft-Windows-Sysmon" SourceName!="Microsoft-Windows-TaskScheduler" SourceName!="PowerShell" SourceName!="MacAFee Endpoint Security" | stats count by SourceName Type

or to simplify it

index="*" sourcetype="wineventlog:*" EventCode=* Type="*" NOT SourceName IN ("Microsoft-Windows-Sysmon" "Microsoft-Windows-TaskScheduler" "PowerShell" "MacAFee Endpoint Security") | stats count by SourceName Type
0 Karma

kmaron
Motivator
index="" sourcetype="wineventlog:" EventCode= Type="" | stats count by SourceName Type | fields - SourceName

You can remove a field from your result using the fields command and a minus

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...