Splunk Search

a little search assistance

tkerr1357
Path Finder

Hello all,

 

I need some assistance using the search below to produce a timechart of the number of events per day for the last 90 days. 

index=wineventlog source="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" EventCode=25
| search Source_Network_Address="*" ComputerName="*" User="*"
| eval "Source IP" = coalesce(Source_Network_Address,"")
| eval clientip=Source_Network_Address | sort- _time
| iplocation "Source IP" | where isnotnull(lat)
| streamstats current=f global=f window=1 first(lat) as next_lat first(lon) as next_lon first(_time) as next_time first(clientip) as next_ip first(Country) as next_country first(Region) as next_region by User
| strcat lat "," lon pointA
| haversine originField=pointA units=mi inputFieldLat=next_lat inputFieldLon=next_lon outputField=distance_miles
|strcat next_lat "," next_lon pointB |eval time_dif=(((next_time - _time)/60)/60), distance_miles=round(distance_miles, 2), time_dif=round(time_dif, 2)

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=1d count
0 Karma

tkerr1357
Path Finder

sorry I forgot to mention I tried that and it only returns the number of events for the most recent day. If I remove the majority of the evals and customization adding that timechart works just fine. 

0 Karma

tkerr1357
Path Finder

I was able to resolve this but had to completely alter my search

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...