Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to find all windows systems reporting a partcular event ID, Source, and/or Severity

Justin_Grant
Contributor
‎04-07-2010 06:27 AM

What are the searches required to search across Windows Event Logs for:

  • most recent events of a particular event ID and Source
  • count of events of a particular event ID, per day for the past month
  • all systems reporting a particular event ID and Source
  • the most recent events of "error" severity across all my monitored systems

I realize this is an easy question, but it's one I heard from a Splunk user today and it didn't already have an entry in Answers...

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-07-2010 01:30 PM

This is really a basic search language issue, and might be better addressed in the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchCheatsheet or elsewhere in http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/WhatsInThisManual

Nevertheless:

  • sourcetype=WinEventLog:* EventCode=$myeventcode$ Source=$mysource$ | head 5
  • sourcetype=WinEventLog:* EventCode=$myeventcode$ earliest=-1mon | timechart span=1d count
  • sourcetype=WinEventLog:* EventCode=$myeventcode$ Source=$mysource$ | top limit=0 host
  • Severity=Error | dedup 1 host

The base search terms can of course be changed to suit the right WinEventLog, EventCode, Source, Severity, or other criteria. I'm pretty sure Severity isn't a field name, but I can't remember the right one.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-07-2010 01:30 PM

This is really a basic search language issue, and might be better addressed in the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchCheatsheet or elsewhere in http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/WhatsInThisManual

Nevertheless:

  • sourcetype=WinEventLog:* EventCode=$myeventcode$ Source=$mysource$ | head 5
  • sourcetype=WinEventLog:* EventCode=$myeventcode$ earliest=-1mon | timechart span=1d count
  • sourcetype=WinEventLog:* EventCode=$myeventcode$ Source=$mysource$ | top limit=0 host
  • Severity=Error | dedup 1 host

The base search terms can of course be changed to suit the right WinEventLog, EventCode, Source, Severity, or other criteria. I'm pretty sure Severity isn't a field name, but I can't remember the right one.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...