Splunk Search

How to write a search to only return hosts that are not sending WinEventLog:Security events?

willamwar
Path Finder

I want to get a list of all hosts not sending "WinEventLog:Security".

So index=wineventlog, get list of hosts, remove any that have reported "WinEventLog:Security"

How can I do this?

0 Karma
1 Solution

willamwar
Path Finder
|tstats count WHERE index=wineventlog groupby host sourcetype | chart sum(count) over host by sourcetype | addtotals  | search Total>0 NOT WinEventLog:Security>1

I had to use the NOT WinEventLog:Security>1 as isnull and =0, ="0", and <1 all did not work.

View solution in original post

0 Karma

willamwar
Path Finder
|tstats count WHERE index=wineventlog groupby host sourcetype | chart sum(count) over host by sourcetype | addtotals  | search Total>0 NOT WinEventLog:Security>1

I had to use the NOT WinEventLog:Security>1 as isnull and =0, ="0", and <1 all did not work.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...