Getting Data In

How to return only values that are not unique?

Nitroxeno
New Member

Currently forwarding all Windows Application Logs with even ID 1000 (AppCrash Event) to splunk. Using this search allows me to see what the top crashing applications in my environment are:

EventCode=1000 | top limit=50 Faulting_application_path

My problem is many of these events only a single computer is reporting the event so makes it look like a bigger issue when it's not. Is there a way I can do that same search but only if the "ComputerName" value is not unique? Perhaps even something like | where ComputerName > 5?

Here is an example event:

02/28/2018 12:06:32 PM
LogName=Application
SourceName=Application Error
EventCode=1000
EventType=2
Type=Error
ComputerName=ComputerName1.mydomain.com
TaskCategory=Application Crashing Events
OpCode=Info
RecordNumber=272812
Keywords=Classic
Message=Faulting application name: CcmExec.exe, version: 5.0.8577.1108, time stamp: 0x5a5e6659
Faulting module name: KERNELBASE.dll, version: 10.0.16299.15, time stamp: 0x4736733c
Exception code: 0xe06d7363
Fault offset: 0x0000000000013fb8
Faulting process id: 0x4a8c
Faulting application start time: 0x01d3b0b67a98d2b3
Faulting application path: C:\WINDOWS\CCM\CcmExec.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: f6e1ae09-3d16-4ba0-addf-98b1b999927c
Faulting package full name: 
Faulting package-relative application ID:

TIA!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this. Also try to include at least one metadata field (index sourcetype source host) in your base search for better performance.

EventCode=1000  | stats count dc(ComputerName) as ComputerName by Faulting_application_path | where ComputerName>5
| sort 50 -count

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this. Also try to include at least one metadata field (index sourcetype source host) in your base search for better performance.

EventCode=1000  | stats count dc(ComputerName) as ComputerName by Faulting_application_path | where ComputerName>5
| sort 50 -count
0 Karma

Nitroxeno
New Member

That did the trick! Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...