Hello
I tried to combine the first query (before | append) with the subsearch ( [ search index=.........) but it doesn't work.
could you help me please??
eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name
| stats dc(_time) as Erreurs by Name host
| rename Name as Application
| append
[ search index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion"
| eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion",data, null)
]
| table _time host Name Level EventCode OS
| rename Name as Application
| sort -_time
As per my understanding of "append" command, we have to keep the rows same (or the list of fields) on both searches..
(A bit modified version.. you may need to edit)
eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name
| stats dc(_time) as Erreurs by Name host
| append
[ search index="ai-wkst-windows-fr" sourcetype=WinRegistry
key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion"
| stats dc(_time) as Erreurs by Name host
]
| table _time host Name Level EventCode OS
| rename Name as Application
| sort -_time
Hi it doesnt works no _time, eventcode, level and OS event...
As per my understanding of "append" command, we have to keep the rows same (or the list of fields) on both searches..
(A bit modified version.. you may need to edit)
eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name
| stats dc(_time) as Erreurs by Name host
| append
[ search index="ai-wkst-windows-fr" sourcetype=WinRegistry
key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion"
| stats dc(_time) as Erreurs by Name host
]
| table _time host Name Level EventCode OS
| rename Name as Application
| sort -_time
Hi it doesnt works no _time, eventcode, level and OS event...
i am not sure, but, lets check this - try to return the same table fields from append back to the original search.
eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name
| stats dc(_time) as Erreurs by Name host
| rename Name as Application
| append
[ search index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion"
| eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion",data, null)
| table _time host Name Level EventCode OS
]
| table _time host Name Level EventCode OS
| rename Name as Application
| sort -_time