- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- how can I search for multiple event IDs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how can I search for multiple event IDs?
How would I search for multiple event IDs ?
sourcetype=wineventlog:security EventCode=631 OR Eventcode=632 OR EventCode=633 .......
Is there a way to combine the eventIDs in one EventCode statement?
thanks
Mark
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or you could have a lookup table with all of your values you want included:
http://answers.splunk.com/answers/26989/does-splunk-have-an-equivalent-to-sqls-in-construct
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone for your input. Now I have a few options to choose from.
Mark
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another one (little crude, but more generic)
sourcetype=wineventlog:security [* | head 1 | eval EventCode="631,632,633..add all your want separated by comma" |table EventCode| eval EventCode=split(EventCode,",")| mvexpand EventCode]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but only for very specific cases.
In the case of your example you could use:
sourcetype=wineventlog:security | regex "EventCode=63[1-3]" |stats count by EventCode ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh come on don't be hurt 🙂
I'm merely stating the problem with the approach. It's still a valid approach but it's important to point out its drawbacks. Between the 3 supplied answers here I believe we've showed what various approaches the user can take. Each of them has its own advantages and disadvantages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Answers is free support, and a mess with half solutions. I say if you have a better anwser - then post it. If you can make an answer better then - adjust it.
It is easy to be a critic.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=wineventlog:security EventCode="63*" | regex "EventCode=63[1-3]" |stats count by EventCode ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with this is that it would lead to bad performance, because no filtering on EventCode will be done at all in the base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. An OR separated list like the one you've written is the way to go.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
