You should use a csv-Lookup here...

Just follow these steps:

1. Create a csv-file containing the EventCodes and the Description you could use this site as a reference for the csv: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
2. Upload the csv-file to Splunk via Settings -> Lookups -> Lookup Table files -> New
3. optional: Create a lookup-Definition and a automatic lookup for your sourcetype (reference here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources)
4. Use the lookup to add the additional knowledge data

Assuming your csv has the name winevents.csv and has this structure:

 EventCode,Description
 513,Windows is shutting down
 514,An authentication package has been loaded by the Local Security Authority

this would be your search:

 Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security" | lookup winevents.csv EventCode OUTPUT Description | timechart count by Description

Hi smudge,

Did you try CSV lookups ? Check this out

http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Addfieldsfromexternaldatasources#CSV_loo...

Hope it helps!

you can use replace command to do it .

try like this:

... | replace 4800 with "The workstation was locked" in EventCode| replace 4801 with "The workstation was unlocked" in EventCode|.....

Hi
I rectified use case statement and retry

 Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security"|eval description=case(EventCode=="4768","A Kerberos authentication ticket (TGT) was requested and User Logged in", EventCode=="4800" , "The workstation was locked" , EventCode=="4801" , "The workstation was unlocked") | timechart count by description