Splunk_Deploiement/deployment-apps/Splunk_TA_windows/default/macros.conf

##
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[events-search(6)]
args = LogName, EventHost, TaskCategory, SourceName, EventCode, Type
definition = eventtype="wineventlog_windows" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$"

[compute-ingestion-stats]
# The below post-process can be used to compute generic statistics about event ingestion
# The search computes event rate (count and size) in 5 minute chunks by assigning each event a weight of 1/300.0 and then computing the sum. This is the best way to get this into a sparkline.
definition = eval temp=1/300.0, event_size=len(_raw) | eval event_size_temp=len(_raw)/300.0 | stats sparkline(sum(temp), 5m) as "Events per second", sparkline(sum(event_size_temp), 5m) as "Event throughput (kbps)", sum(event_size) as TotalBytes, sum(temp) as tempsum by sourcetype | eval "Total MB"=round(TotalBytes/1024.0/1024.0,2) | addinfo | eval APS=tempsum/(info_max_time-info_min_time) | eval "Average events per second"=round(APS*300.0,2) | fields sourcetype "Events per second" "Event throughput (kbps)" "Average events per second" "Total MB"

[netmon-hosts-search]
definition = eventtype=netmon_windows | stats count by host | sort +host

[event-hosts-search]
definition = eventtype=wineventlog_windows | stats count by host | sort +host

[log-names-search]
definition = eventtype=wineventlog_windows | stats count by LogName | sort +LogName

[source-names-search(1)]
args = LogName
definition = eventtype=wineventlog_windows LogName="$LogName$" | stats count by SourceName | sort +SourceName

[task-categories-search(2)]
args = LogName, SourceName
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" | stats count by TaskCategory | sort +TaskCategory

[event-codes-search(3)]
args = LogName, SourceName, TaskCategory
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" | stats count by EventCode | sort +EventCode

[event-types-search(4)]
args = LogName, SourceName, TaskCategory, EventCode
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" EventCode="$EventCode$" | stats count by Type | sort +Type