Splunk Search

a little search assistance

tkerr1357
Path Finder

Hello all,

 

I need some assistance using the search below to produce a timechart of the number of events per day for the last 90 days. 

index=wineventlog source="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" EventCode=25
| search Source_Network_Address="*" ComputerName="*" User="*"
| eval "Source IP" = coalesce(Source_Network_Address,"")
| eval clientip=Source_Network_Address | sort- _time
| iplocation "Source IP" | where isnotnull(lat)
| streamstats current=f global=f window=1 first(lat) as next_lat first(lon) as next_lon first(_time) as next_time first(clientip) as next_ip first(Country) as next_country first(Region) as next_region by User
| strcat lat "," lon pointA
| haversine originField=pointA units=mi inputFieldLat=next_lat inputFieldLon=next_lon outputField=distance_miles
|strcat next_lat "," next_lon pointB |eval time_dif=(((next_time - _time)/60)/60), distance_miles=round(distance_miles, 2), time_dif=round(time_dif, 2)

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=1d count
0 Karma

tkerr1357
Path Finder

sorry I forgot to mention I tried that and it only returns the number of events for the most recent day. If I remove the majority of the evals and customization adding that timechart works just fine. 

0 Karma

tkerr1357
Path Finder

I was able to resolve this but had to completely alter my search

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...