Hello Fellow Splunkers,
I have been trying the following query to pull the ES notified hosts and bring a sparkline of the host's log counts to reduce the amount of false positives on the "Event logging service has shut down" event alerts.
EventCode=1100 OR EventCode=1074 OR EventCode=6006 OR EventCode=6008 index=wineventlog sourcetype=WinEventLog
[ search index=notable source="Audit - Anomalous Audit Trail Activity Detected - Rule"
| stats count by dest_nt_host
| fields - count
| rename dest_nt_host as search
| format]
| convert ctime(_time)
| eval tem = "* " ._time." - " .EventCode. " - " .Message
| sort tem
| stats values(tem) as tem by host
| search tem=*1100*
| join host
[ search index=wineventlog sourcetype=WinEventLog
[ search index=notable source="Audit - Anomalous Audit Trail Activity Detected - Rule"
| stats count by dest_nt_host
| fields - count
| rename dest_nt_host as search
| format]
| stats sparkline(count) as sparkline by host ]
However, I have a problem applying a Sparkline next to my table. In which the supposed sparkline chart returns a result of:
##__SPARKLINE__##,146,158,201,172,161,172,185,180,154,2361,986,202,570,192,2284,999,200,931,427,549,177,330,382,142,2448,3695,566,3409,490,3483,4671,4927,3000,3087,2873,159,280,139,113,164,132,141,135,151,186,176,140,146,88
I have tried adding the following line which was mentioned in previous similar questions at the end of my query,
makemv delim="," setsv=true sparkline
However, still end up having a string problem for the sparkline.
Any and all suggestions are welcome,
Regards,
↧