Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data count from differents report in the same report

jip31jip31
Explorer
‎03-31-2018 11:26 PM

Hi

I use 4 différents reports for doing a count of data

1) index="wineventlog" sourcetype="wineventlog:application" SourceName=Endpoint EventCode=* Type=Erreur RecordNumber "Type=Erreur" SourceName | stats count by Type
2) index="wineventlog" sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement | stats count by Type
3)....
4)....

I want to use only 1 report
how can i do please????

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2018 06:55 AM

You should be able to combine your searches with OR.

index="wineventlog" (sourcetype="wineventlog:application" SourceName=Endpoint EventCode= Type=Erreur RecordNumber "Type=Erreur" SourceName) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement) OR (...) OR (...) | stats count by Type
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2018 06:55 AM

You should be able to combine your searches with OR.

index="wineventlog" (sourcetype="wineventlog:application" SourceName=Endpoint EventCode= Type=Erreur RecordNumber "Type=Erreur" SourceName) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement) OR (...) OR (...) | stats count by Type
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31jip31
Explorer
‎04-01-2018 10:23 PM

many thanks it s perfect (i had forgotten parenthesis)
i would like another evolution please
in my Dashboard i would like to add a column with the 5 items below
the items are not linked to an event
McAfee_Critical_Errors
Sysmon_Critical_Errors
Application, Security & System_Critical_Errors
PowerShell_Critical_Errors
Operational Scheduled task_Critical_Errors
thanks for you help

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2018 07:08 AM

It depends on the source for those 5 items. Perhaps you should post a new question on that topic.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-02-2018 10:03 AM

in fact i use this request:
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by SourceName Type

i just have a problem for the sourcetype "wineventlog" because his sourcename is variable
so i would like to rename this sourcetype as "Windows Events"
i trie with rename but it dont works! syntax problem?
thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-01-2018 11:52 PM

@jip31jip31 please accept @richgalloway 's answer if your issue is resolved 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...