I wonder if there is a way for me generate a report for like the "top 25 events" per given time interval.
I could use the "recent event activity" function on the overview map, but I need to choose the number of events that should be included rather then using "all" events right away, In addition the output is seperated by day and difficult to process. I could also just run an "all events" quick search for the last 24h (as example) but there is no way to sort and seperate them like:
1# 987* User Account locked
2# 802* Member removed from group
3# 315 DNS SRV record added
and so on
What I am trying to achieve is that I can compare the ammount of events per day/week so that I can spot abnormalitys like a very high ammount of Group membership changes and so on. None of the standard searches seem to work for this use case since they are all focused on one specific event or event type. Can anyone give me a hint on how to achieve this? It is a pretty basic function for something like splunk so I assume it should be possible with change auditor as well.