Splunk Search
Highlighted

How to write a search to only return hosts that are not sending WinEventLog:Security events?

Path Finder

I want to get a list of all hosts not sending "WinEventLog:Security".

So index=wineventlog, get list of hosts, remove any that have reported "WinEventLog:Security"

How can I do this?

0 Karma
Highlighted

Re: How to write a search to only return hosts that are not sending WinEventLog:Security events?

Path Finder
|tstats count WHERE index=wineventlog groupby host sourcetype | chart sum(count) over host by sourcetype | addtotals  | search Total>0 NOT WinEventLog:Security>1

I had to use the NOT WinEventLog:Security>1 as isnull and =0, ="0", and <1 all did not work.

View solution in original post

0 Karma