Splunk Search

Total occurrences within a column

dmarcantonionw
Engager

I am pulling Windows event logs for software updates. There's a column for successRatio that is either Success or Failure as the result. I would like to append my event log search query to give me a total number of Success and total number of Failure. Bonus points if we can make it a numerical value on a dashboard. Here is my initial search query:

index=wineventlog sourcetype=WinEventLog:System EventCode=19  | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?<KB>.\d+)\W" | eval successRatio=mvindex(split(Keywords,","),-1) | stats count by Date , host, package_title, KB , body , successRatio| sort host

This works great, but like I said, I'd like to have a total count of success and failures available in a report and a dashboard.

0 Karma

mayurr98
Super Champion

hey Try this

index=wineventlog sourcetype=WinEventLog:System EventCode=19 
| eval Date=strftime(_time, "%Y/%m/%d") 
| rex "\WKB(?<KB>.\d+)\W" 
| eval successRatio=mvindex(split(Keywords,","),-1) 
| stats count(eval(successRatio="Success")) as "Success_Count" count(eval(successRatio="Failure")) as "Failure_Count" by Date , host, package_title, KB , body 
| sort host

let me know if this helps!

0 Karma

adonio
Ultra Champion

Hello there,

please try out this search:

  index=wineventlog sourcetype=WinEventLog:System EventCode=19 
    | eval Date=strftime(_time, "%Y/%m/%d") 
    | rex "\WKB(?<KB>.\d+)\W" 
    | rex field=Keywords "\w+,\s+(?<status>\S+)"
    | stats count(eval(status="Success")) as succeeded count(eval(status="Failure")) as failed

from here you can take it however you would like

hope it helps

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...