Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data count from differents report in the same report

jip31jip31
Explorer
‎03-31-2018 11:26 PM

Hi

I use 4 différents reports for doing a count of data

1) index="wineventlog" sourcetype="wineventlog:application" SourceName=Endpoint EventCode=* Type=Erreur RecordNumber "Type=Erreur" SourceName | stats count by Type
2) index="wineventlog" sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement | stats count by Type
3)....
4)....

I want to use only 1 report
how can i do please????

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2018 06:55 AM

You should be able to combine your searches with OR.

index="wineventlog" (sourcetype="wineventlog:application" SourceName=Endpoint EventCode= Type=Erreur RecordNumber "Type=Erreur" SourceName) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement) OR (...) OR (...) | stats count by Type
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2018 06:55 AM

You should be able to combine your searches with OR.

index="wineventlog" (sourcetype="wineventlog:application" SourceName=Endpoint EventCode= Type=Erreur RecordNumber "Type=Erreur" SourceName) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement) OR (...) OR (...) | stats count by Type
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31jip31
Explorer
‎04-01-2018 10:23 PM

many thanks it s perfect (i had forgotten parenthesis)
i would like another evolution please
in my Dashboard i would like to add a column with the 5 items below
the items are not linked to an event
McAfee_Critical_Errors
Sysmon_Critical_Errors
Application, Security & System_Critical_Errors
PowerShell_Critical_Errors
Operational Scheduled task_Critical_Errors
thanks for you help

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2018 07:08 AM

It depends on the source for those 5 items. Perhaps you should post a new question on that topic.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-02-2018 10:03 AM

in fact i use this request:
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by SourceName Type

i just have a problem for the sourcetype "wineventlog" because his sourcename is variable
so i would like to rename this sourcetype as "Windows Events"
i trie with rename but it dont works! syntax problem?
thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-01-2018 11:52 PM

@jip31jip31 please accept @richgalloway 's answer if your issue is resolved 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...