Splunk Search

Search Results into a table

splunknewbie81
Engager

Hi guys, 

I am new to splunk and would like to create a report based off the number of times a particular windows event code is showing up.

My search String -
index="windows-servers"
sourcetype = WinEventLog:Security
EventCode=4625
| table ComputerName , EventCode, Message

The above gives me what I want but I would like to streamline it further so that it shows up in a csv file. The table I have in mind is something like below.

Can someone please guide me or point me in the right direction, please? Thank you so much

HostnameEventCodeNumber of Times showing upActionMessageUser Account
      
      
      
      
      

 

Labels (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

@splunknewbie81  Do you want to visually see the results in CSV format or export them? table/stats command just shows the information in tabular format visually underlying they are not CSV format.

If you want the CSV format you shall export the results which you can find in search app itself. Same can be achieved using Splunk Rest API calls.

---

An upvote would be appreciated if it helps!

0 Karma

General_Talos
Path Finder

Try using

index="windows-servers" sourcetype = WinEventLog:Security EventCode=4625 
| stats count as "Number of Times showing up" values(EventCode) as EventCode by Message Workstation_Name action user 
| rename Workstation_Name as Hostname,user as "	User Account",action as Action
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...