Splunk Search
Highlighted

rename EventCodes

Path Finder

Is there a way to rename EventCodes xxxx field to "description" in timechart? Here is a sample search:

Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security" | timechart count by EventCode

Thanks!

0 Karma
Highlighted

Re: rename EventCodes

Motivator

Hi
I rectified use case statement and retry

 Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security"|eval description=case(EventCode=="4768","A Kerberos authentication ticket (TGT) was requested and User Logged in", EventCode=="4800" , "The workstation was locked" , EventCode=="4801" , "The workstation was unlocked") | timechart count by description
0 Karma
Highlighted

Re: rename EventCodes

Path Finder

Thanks but i need the description to be something like:
4768 A Kerberos authentication ticket (TGT) was requested
4800 The workstation was locked
4801 The workstation was unlocked
4768 User Logged in

Rather than just listing the event codes.

0 Karma
Highlighted

Re: rename EventCodes

Motivator

just retry my new search code above

0 Karma
Highlighted

Re: rename EventCodes

Path Finder

Nice! Thanks

0 Karma
Highlighted

Re: rename EventCodes

Motivator

where are the query that you propose ?

0 Karma
Highlighted

Re: rename EventCodes

Motivator

i ok with Mm chimell where is your answer Mm smudge797
post your answer because it can help somebody
thanks.

0 Karma
Highlighted

Re: rename EventCodes

Path Finder

This worked from Chimell. Thanks

Account_Name=* (EventCode=4800 OR EventCode=4801 OR EventCode=4768) index=blah sourcetype="WinEventLog:Security" source="WinEventLog:Security"|eval description=case(EventCode=="4768","A Kerberos authentication ticket (TGT) was requested and User Logged in", EventCode=="4800" , "The workstation was locked" , EventCode=="4801" , "The workstation was unlocked") | timechart count by description

Highlighted

Re: rename EventCodes

Motivator

go accept and upvote answer of Mm chimell if you agree Mm smudge797
thanks.

0 Karma
Highlighted

Re: rename EventCodes

Motivator

you can use replace command to do it .

try like this:

... | replace 4800 with "The workstation was locked" in EventCode| replace 4801 with "The workstation was unlocked" in EventCode|.....