Currently forwarding all Windows Application Logs with even ID 1000 (AppCrash Event) to splunk. Using this search allows me to see what the top crashing applications in my environment are:
EventCode=1000 | top limit=50 Faulting_application_path
My problem is many of these events only a single computer is reporting the event so makes it look like a bigger issue when it's not. Is there a way I can do that same search but only if the "ComputerName" value is not unique? Perhaps even something like | where ComputerName > 5?
Here is an example event:
02/28/2018 12:06:32 PM
LogName=Application
SourceName=Application Error
EventCode=1000
EventType=2
Type=Error
ComputerName=ComputerName1.mydomain.com
TaskCategory=Application Crashing Events
OpCode=Info
RecordNumber=272812
Keywords=Classic
Message=Faulting application name: CcmExec.exe, version: 5.0.8577.1108, time stamp: 0x5a5e6659
Faulting module name: KERNELBASE.dll, version: 10.0.16299.15, time stamp: 0x4736733c
Exception code: 0xe06d7363
Fault offset: 0x0000000000013fb8
Faulting process id: 0x4a8c
Faulting application start time: 0x01d3b0b67a98d2b3
Faulting application path: C:\WINDOWS\CCM\CcmExec.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: f6e1ae09-3d16-4ba0-addf-98b1b999927c
Faulting package full name:
Faulting package-relative application ID:
TIA!
Try something like this. Also try to include at least one metadata field (index sourcetype source host) in your base search for better performance.
EventCode=1000 | stats count dc(ComputerName) as ComputerName by Faulting_application_path | where ComputerName>5
| sort 50 -count
Try something like this. Also try to include at least one metadata field (index sourcetype source host) in your base search for better performance.
EventCode=1000 | stats count dc(ComputerName) as ComputerName by Faulting_application_path | where ComputerName>5
| sort 50 -count
That did the trick! Thank you very much!