## ## SPDX-FileCopyrightText: 2021 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## [events-search(6)] args = LogName, EventHost, TaskCategory, SourceName, EventCode, Type definition = eventtype="wineventlog_windows" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" [compute-ingestion-stats] # The below post-process can be used to compute generic statistics about event ingestion # The search computes event rate (count and size) in 5 minute chunks by assigning each event a weight of 1/300.0 and then computing the sum. This is the best way to get this into a sparkline. definition = eval temp=1/300.0, event_size=len(_raw) | eval event_size_temp=len(_raw)/300.0 | stats sparkline(sum(temp), 5m) as "Events per second", sparkline(sum(event_size_temp), 5m) as "Event throughput (kbps)", sum(event_size) as TotalBytes, sum(temp) as tempsum by sourcetype | eval "Total MB"=round(TotalBytes/1024.0/1024.0,2) | addinfo | eval APS=tempsum/(info_max_time-info_min_time) | eval "Average events per second"=round(APS*300.0,2) | fields sourcetype "Events per second" "Event throughput (kbps)" "Average events per second" "Total MB" [netmon-hosts-search] definition = eventtype=netmon_windows | stats count by host | sort +host [event-hosts-search] definition = eventtype=wineventlog_windows | stats count by host | sort +host [log-names-search] definition = eventtype=wineventlog_windows | stats count by LogName | sort +LogName [source-names-search(1)] args = LogName definition = eventtype=wineventlog_windows LogName="$LogName$" | stats count by SourceName | sort +SourceName [task-categories-search(2)] args = LogName, SourceName definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" | stats count by TaskCategory | sort +TaskCategory [event-codes-search(3)] args = LogName, SourceName, TaskCategory definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" | stats count by EventCode | sort +EventCode [event-types-search(4)] args = LogName, SourceName, TaskCategory, EventCode definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" EventCode="$EventCode$" | stats count by Type | sort +Type