Reporting

organizing multiple responses

Path Finder

How do you query an application log for multiple event codes and then organize them in a report based on what codes were seen?

I'm searching 40+ server application logs for backup exec codes and based upon success (34112 or 57755) or failure (34113 or 34114) Output the count to either a success or failure column organized by host name.

I know a way (though probably not the best way) to do either a success or failure, but not how to combine.

What I've got so far is
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR 34112 | stats count by tag, host | rename count as Success

It works, but is only looking for instances when thing went correctly.

Tags (1)
0 Karma
1 Solution

Path Finder

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

View solution in original post

Path Finder

Thank you very much!
Both of those queries worked perfectly if differently.

0 Karma

Path Finder

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

View solution in original post

Path Finder

Thanks lukejadamec - I've update the example.

Super Champion

You can append the failure code data:

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 | stats count by tag, host | rename count as Success |append [search index=main sourcetype="WMI:WinEventLog:Application" EventCode=34113 OR EventCode=34114| stats count by tag, host | rename count as Failure]

Path Finder

I don't use sub-searches so I always forget their usefulness.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!