Re: Search Results into a table

splunknewbie81 · ‎07-05-2021

Hi guys,

I am new to splunk and would like to create a report based off the number of times a particular windows event code is showing up.

My search String -
index="windows-servers"
sourcetype = WinEventLog:Security
EventCode=4625
| table ComputerName , EventCode, Message

The above gives me what I want but I would like to streamline it further so that it shows up in a csv file. The table I have in mind is something like below.

Can someone please guide me or point me in the right direction, please? Thank you so much

Hostname	EventCode	Number of Times showing up	Action	Message	User Account

venkatasri · ‎07-05-2021

@splunknewbie81 Do you want to visually see the results in CSV format or export them? table/stats command just shows the information in tabular format visually underlying they are not CSV format.

If you want the CSV format you shall export the results which you can find in search app itself. Same can be achieved using Splunk Rest API calls.

---

An upvote would be appreciated if it helps!

General_Talos · ‎07-05-2021

Try using

index="windows-servers" sourcetype = WinEventLog:Security EventCode=4625 
| stats count as "Number of Times showing up" values(EventCode) as EventCode by Message Workstation_Name action user 
| rename Workstation_Name as Hostname,user as "	User Account",action as Action

Search Results into a table

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!