Solved: How to differentiate events with Field values and ...

maria2691 · ‎02-20-2018

Hello Everyone

I have to differentiate few events with their field values.

In my events I have a field called EventCode. The events are about login information.
If the field value of EventCode is 1111, they are successful logins. If the values are 2222, they are failed logins.

I have another field host in my events.
The requirement is to diffentiate 1111 and 2222 from the EventCode and then show them as results for each host, how much is successful and how many have failed.

I need to make a column chart in which the X axis should be host and Y axis should be showing the graph for successful and failed logins separately for each host.

I am trying some basic commands, however I am unable to get the results exactly the way it is required.

Please help me on this regard!

Thanks
Maria Arokiaraj

chitturics · ‎02-21-2018

EventCode=1111 OR EventCode=2222 |eval event_status=if(EventCode="1111","Success","Failed")|chart count over host by event_status

View solution in original post

maria2691 · ‎02-21-2018

Hello @cmerriman

Below is a sample event which is a successful one. If the EventCode is 2222, it is to be considered as a failed one.

02/21/2018 01:12:43 PM
LogName=Microsoft*
SourceName=Microsoft*
EventCode=1111
EventType=4
Type=Information
ComputerName=abcd.local
User=NOT_TRANSLATED
Sid=S**
SidType=0
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=xxxx
Keywords=None
Message=Remote Desktop Services: User authentication succeeded:

User:
Domain:
Source Network Address: 1.1.1.1
Collapse
host = hostname1 source = WinEventLog:* sourcetype = WinEventLog*

Do I need to use the makeresults option for all the separate hosts, we have around 20. Is there any other way?
And also when I tried the sample code given by you, the counts I am getting is 1 for all the hosts and EventCodes even though the actual results are more than 600. Could you please check what is wrong with the code 😞

Thanks
Maria Arokiaraj

cmerriman · ‎02-21-2018

without knowing what your data looks like, this is what i've come up with using makeresults:

|makeresults |eval data="host=x,eventcode=1111 host=x,eventcode=2222 host=x,eventcode=1111 host=y,eventcode=2222 host=y,eventcode=2222 host=z,eventcode=1111 host=z,eventcode=1111 host=z,eventcode=1111"|makemv data|mvexpand data|rename data as _raw|kv|table host eventcode|eval{eventcode}=eventcode|fields - eventcode|stats count(*) as * by host

try using eval{EventCode}=EventCode to make a column for each code 1111 and 2222 and then count them by host. If this doesn't work, if you could provide some sample data and expected output, that would be helpful.

cmerriman · ‎02-21-2018

what is your search looking like? all of those fields are extracted? you have a field called EventCode and host? if so, all you should really need is something like |table host EventCode|eval{EventCode}=EventCode|fields - EventCode|stats count(*) as * by host

chitturics · ‎02-21-2018

EventCode=1111 OR EventCode=2222 |eval event_status=if(EventCode="1111","Success","Failed")|chart count over host by event_status

maria2691 · ‎02-21-2018

Very simple. Pity I didn't even think of it 😞
Thanks @chitturics.

How to differentiate events with Field values and group them by a different field?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM