Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i display the latest event from two event IDs by computer name?

willsy
Communicator
‎12-06-2018 08:13 AM

Hello,

I am trying to complete a query that allows me to see both the latest failed and successful backups from event logs for each computer. The issue i am having is that when i run the query i get both the failed and successful backups for the computer not just the most recent failure or success.

for example if server A fails to backup, but then the backup is re-run and it passes i only want to see that it passes, Or on the flip side to that, if Server A successfully backs up and then fails at a different time, i would like to see that its most recent event is a failure.

in my example eventcode 21 is a success, event code 22 is a failure.

index=windows_health-servers sourcetype="WinEventLog:Application" (EventCode=21 OR EventCode=22)
| where match(Machine_BackedUp,"DC(A|P)OV\w{2}\d{3}")

| eval Outcome=if(EventCode=21,"Success","Fail")
|chart values(Machine_BackedUp) as "Computer Name" latest(EventCode) as EventCode latest(_time) as Date by Outcome
| fields - EventCode
| convert ctime("Date")

Any help is greatly appreciated.

Willsy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-06-2018 10:44 AM

@willsy,
Try moving the chart/stats before the Outcome eval

index=windows_health-servers sourcetype="WinEventLog:Application" (EventCode=21 OR EventCode=22) 
| where match(Machine_BackedUp,"DC(A|P)OV\w{2}\d{3}") 
| stats latest(EventCode) as EventCode,latest(_time) as Date by Machine_BackedUp
| eval Outcome=if(EventCode=21,"Success","Fail") 
| fields - EventCode 
| convert ctime("Date")|rename Machine_BackedUp as "Computer Name"
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-06-2018 10:44 AM

@willsy,
Try moving the chart/stats before the Outcome eval

index=windows_health-servers sourcetype="WinEventLog:Application" (EventCode=21 OR EventCode=22) 
| where match(Machine_BackedUp,"DC(A|P)OV\w{2}\d{3}") 
| stats latest(EventCode) as EventCode,latest(_time) as Date by Machine_BackedUp
| eval Outcome=if(EventCode=21,"Success","Fail") 
| fields - EventCode 
| convert ctime("Date")|rename Machine_BackedUp as "Computer Name"
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

willsy
Communicator
‎12-07-2018 12:44 AM

Thats certainly alot better than what i had before, so thank you for that. The individual events are there but i still have in the search

DCAOVSG001 failed backup 12/06/2018
DCAOVSG001 successfull backup 12/07/2018

is there a way, that i can only see the very latest one? so in this case i would only see the successful backup as opposed to both?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-08-2018 01:19 AM

@willsy, are you adding date or any other field in the by clause?

Just to test, can you try this ?

index=windows_health-servers sourcetype="WinEventLog:Application" (EventCode=21 OR EventCode=22) 
 | where match(Machine_BackedUp,"DC(A|P)OV\w{2}\d{3}") 
 | stats latest(EventCode) as EventCode by Machine_BackedUp

Is it displaying both eventcodes for machine DCAOVSG001 ?

Happy Splunking!
Reply
Solved! Jump to solution

willsy
Communicator
‎12-10-2018 01:15 AM

Hello, thank you for getting back to me,
Thats working as follows;

Machine Backedup Event Code
DCAOVSG001 22
DCAOVSG002 21
DCAOVSG003 21

Which is the basis of what i am after, i just need to change the 21 to pass, 22 to fail message and then add a date.

So what ive done is added
| eval Outcome=if(EventCode=21,"Success","Fail")
| fields - EventCode
| convert ctime("Date")|rename Machine_BackedUp as "Computer Name"

onto the bottom of your search so that it looks like this:

index=windows_health-servers sourcetype="WinEventLog:Application" (EventCode=21 OR EventCode=22)
| where match(Machine_BackedUp,"DC(A|P)OV\w{2}\d{3}")
| stats latest(EventCode) as EventCode by Machine_BackedUp
| eval Outcome=if(EventCode=21,"Success","Fail")
| fields - EventCode
| convert ctime("Date")|rename Machine_BackedUp as "Computer Name"

i need to sort the time out by you my good sir are both a scholar and a gent. Thank you ever so much.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...