Solved: Re: How to extract some sourcename of a report?

jip31jip31 · ‎04-04-2018

hi,
I use this report request but I would like some sourcenames to not appear in the result.
Their name is:

Microsoft-Windows-Sysmon

Microsoft-Windows-TaskScheduler
PowerShell
MacAFee Endpoint Security

Thanks for your help

index="*" sourcetype="wineventlog:*" EventCode=* Type="*" | stats count by SourceName Type

kmaron · ‎04-04-2018

index="" sourcetype="wineventlog:" EventCode= Type="" | stats count by SourceName Type | fields - SourceName

You can remove a field from your result using the fields command and a minus

View solution in original post

kmaron · ‎04-25-2018

specify which sourcenames you do not want in the initial search:

index="*" sourcetype="wineventlog:*" EventCode=* Type="*" SourceName!="Microsoft-Windows-Sysmon" SourceName!="Microsoft-Windows-TaskScheduler" SourceName!="PowerShell" SourceName!="MacAFee Endpoint Security" | stats count by SourceName Type

or to simplify it

index="*" sourcetype="wineventlog:*" EventCode=* Type="*" NOT SourceName IN ("Microsoft-Windows-Sysmon" "Microsoft-Windows-TaskScheduler" "PowerShell" "MacAFee Endpoint Security") | stats count by SourceName Type

kmaron · ‎04-04-2018

index="" sourcetype="wineventlog:" EventCode= Type="" | stats count by SourceName Type | fields - SourceName

You can remove a field from your result using the fields command and a minus

How to extract some sourcename of a report?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?