* LogName="Microsoft-Windows-PowerShell/Operational" earliest=-1000m latest=now
| search EventCode="4103"
| chart
count(eval(like(_raw,"%C:\Windows\system32\svchost.exe%"))) AS svchost_command over _time span=20s
| where (svchost_command>20)
| eval message=if(svchost_command>20 ,"Detected","NOT DETECTED")
| append
[| inputlookup AvL_hist_test.csv ]
| append
[search * LogName="Microsoft-Windows-PowerShell/Operational" earliest=-1000m latest=now
| search EventCode="4103"
| chart
count(eval(like(_raw,"%C:\Windows\system32\svchost.exe%"))) AS svchost_command over _time span=20s
| where (svchost_command>20)
| stats count(eval(svchost_command>20)) AS nr_events ]
| eval new_number_events=nr_events_history+nr_events
| table _time,message,nr_events_history,nr_events,new_number_events
... View more