Splunk Search

How to write a search to only return hosts that are not sending WinEventLog:Security events?

Path Finder

I want to get a list of all hosts not sending "WinEventLog:Security".

So index=wineventlog, get list of hosts, remove any that have reported "WinEventLog:Security"

How can I do this?

0 Karma
1 Solution

Path Finder
|tstats count WHERE index=wineventlog groupby host sourcetype | chart sum(count) over host by sourcetype | addtotals  | search Total>0 NOT WinEventLog:Security>1

I had to use the NOT WinEventLog:Security>1 as isnull and =0, ="0", and <1 all did not work.

View solution in original post

0 Karma

Path Finder
|tstats count WHERE index=wineventlog groupby host sourcetype | chart sum(count) over host by sourcetype | addtotals  | search Total>0 NOT WinEventLog:Security>1

I had to use the NOT WinEventLog:Security>1 as isnull and =0, ="0", and <1 all did not work.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!