I essentially want to do something like this:
host="*mas*" sourcetype="WinEventLog:Application" AND (Type=Error OR Type=Warning) | foreach EventCode [ search host="*mas*" sourcetype="WinEventLog:Application" EventCode='<<FIELD>>' | cluster ]
However this an error saying "Error in 'foreach' command: Search pipeline may not contain non-streaming commands" It basically doesn't like the cluster command as part of the foreach.
To clarify, I want to cluster based on the EventCodes of the results returned from the initial search. I don't want to cluster on the whole of the initial search itself. Is there an easy way of doing this?
Try this
host="*mas*" sourcetype="WinEventLog:Application" [search host="*mas*" sourcetype="WinEventLog:Application" AND (Type=Error OR Type=Warning) | stats count by EventCode | table EventCode] | cluster
The subsearch gets all the EventCodes with Type=Error OR Type=Warning and is passed to main search.