We currently have an alert that shows any time a server is rebooted. We have some servers that reboot at the same time every day. Is there an easy way to filter out those servers for only the time frame that they reboot in, but still report if that same server is rebooted outside that window of time? Here is our current query:
index=winevents (EventCode=4609 OR EventCode=6008 OR EventCode=513 OR EventCode=4608 OR EventCode=1074) | table ComputerName, _time, EventCode, name, user, Message | rename ComputerName AS "Host Name" _time AS "Time" EventCode AS "Event Code" name AS "Event" user AS "Origin Login" Message AS "Reason" | convert timeformat="%Y/%m/%d %H:%M:%S" ctime("Time")
If I insert (host=[servername] earliest!=@d-3 latest!=@d-2) after my index statement and before the event codes, this successfully filters out that servers reboot, but won't give me any results for any other server for any time frame. I have multiple servers I would like to do this for. I know I could create separate alerts for the servers that reboot every night and then just NOT them out of the all inclusive alert, but I would like to just integrate all of them into one alert. Any ideas?
... View more