Errors

Windows Events Summary Click on the event to check it on www.eventid.net

Select time range -24h@h now Event types Error,Warning Error Warning Information ( ) Type=" " OR Type Type Security Events Denial,Audit Failure Audit Failure Audit Success ( ) " " OR Audit Type Audit Type Audit Failure Computer All * ( ) host=" " OR `event_sources` | stats count by host $interval.earliest$ $interval.latest$ host host Keyword: * Excluded event sources none ( ) SourceName!=" " AND None `event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName $interval.earliest$ $interval.latest$ SourceName SourceName

Errors `event_sources` Type="Error" AND $Computer$ AND $keyword$ | stats count $interval.earliest$ $interval.latest$ 1 Warnings `event_sources` Type="Warning" AND $Computer$ AND $keyword$ | stats count $interval.earliest$ $interval.latest$ 1 Information `event_sources` Type="Information" AND NOT ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ | stats count $interval.earliest$ $interval.latest$ 1 search?q=`event_sources` Type="Information" | stats count&earliest=$interval.earliest$&latest=$interval.latest$ Audit Failure `event_sources` "Audit Failure" AND $Computer$ AND $keyword$ | stats count $interval.earliest$ $interval.latest$ 1 /app/eventid/audit_events Audit Success `event_sources` Keywords="Audit Success" AND $Computer$ AND $keyword$ | stats count $interval.earliest$ $interval.latest$ 1 Logon Audit Failure `event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ | eval user=mvindex(Account_Name,1) | stats count -24h@h now /app/eventid/audit_events Accounts with 3 or more failed logons `event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ | stats count by user | where count > 2 $interval.earliest$ $interval.latest$ 1 Top computers generating events `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) | eval SourceName = coalesce(SourceName,source) | fillnull | search $sourcetype_token$ | stats count by host $interval.earliest$ $interval.latest$ /app/eventid/eventid?form.Computer=$row.host$ Windows events over time `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) | timechart count $interval.earliest$ $interval.latest$ Events Summary - Links to www.eventid.net `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) | eval SourceName = coalesce(SourceName,Provider) | eval Type = coalesce(Type,Keyword) | fillnull value="-" | stats earliest(_time) as First latest(_time) as Last count by host, EventCode, SourceName, Type | sort -count host, EventCode, SourceName, Type | rename EventCode as "EventId" | fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X") $interval.earliest$ $interval.latest$ https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId

Events List `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) | eval SourceName = coalesce(SourceName,Provider) | eval Type = coalesce(Type,Keyword) | fillnull | table _time, host, EventCode, SourceName, Type, Message | rename EventCode as "EventId" $interval.earliest$ $interval.latest$