Hi
I use 4 différents reports for doing a count of data
1) index="wineventlog" sourcetype="wineventlog:application" SourceName=Endpoint EventCode=* Type=Erreur RecordNumber "Type=Erreur" SourceName | stats count by Type
2) index="wineventlog" sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode=* Type=Avertissement | stats count by Type
3)....
4)....
I want to use only 1 report
how can i do please????
You should be able to combine your searches with OR.
index="wineventlog" (sourcetype="wineventlog:application" SourceName=Endpoint EventCode= Type=Erreur RecordNumber "Type=Erreur" SourceName) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement) OR (...) OR (...) | stats count by Type
You should be able to combine your searches with OR.
index="wineventlog" (sourcetype="wineventlog:application" SourceName=Endpoint EventCode= Type=Erreur RecordNumber "Type=Erreur" SourceName) OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber EventCode= Type=Avertissement) OR (...) OR (...) | stats count by Type
many thanks it s perfect (i had forgotten parenthesis)
i would like another evolution please
in my Dashboard i would like to add a column with the 5 items below
the items are not linked to an event
McAfee_Critical_Errors
Sysmon_Critical_Errors
Application, Security & System_Critical_Errors
PowerShell_Critical_Errors
Operational Scheduled task_Critical_Errors
thanks for you help
It depends on the source for those 5 items. Perhaps you should post a new question on that topic.
in fact i use this request:
index="wineventlog" (sourcetype="wineventlog:application" SourceName=endpoint SourceName="McAfee Endpoint Security" EventCode=* Type=Erreur RecordNumber "Type=Erreur") OR (sourcetype="WinEventLog:Microsoft-Windows-TaskScheduler/Operational" RecordNumber SourceName="Microsoft-Windows-TaskScheduler" EventCode=* Type=Avertissement) OR (sourcetype="wineventlog:*" "Type=Critique" RecordNumber) OR (sourcetype="WinEventLog:Windows PowerShell" EventCode = 400 OR EventCode = 600 RecordNumber) | stats count by SourceName Type
i just have a problem for the sourcetype "wineventlog" because his sourcename is variable
so i would like to rename this sourcetype as "Windows Events"
i trie with rename but it dont works! syntax problem?
thanks
@jip31jip31 please accept @richgalloway 's answer if your issue is resolved 🙂