Search I am trying to use:
index="wineventlog" (EventCode=4656 Accesses=DELETE) OR EventCode=1102 OR EventCode=4670 OR EventCode=564 | `get_date(now())` | `aggregate("Endpoint - FIM - Rule".date.Object_Name)` | eval _time=now() | eval orig_raw=_raw | fields - _raw
If I leave in the macro
`aggregate("Endpoint - FIM - Rule".date.Object_Name)`
I receive an error stating aggregate(1) , which I haven't been able to find any information on what my syntax issue is.
If I take out the aggregate macro, the search will bring back results.
Two items that i need help with:
What am I doing wrong with the aggregate macro syntax?
Even though the search brings back results, notable events are not created.
Thank you!
... View more