topic Re: How do I generate a report listing x sample events for each Windows event code? in Getting Data In

How do I generate a report listing x sample events for each Windows event code?

vhaabqdeltoj — Wed, 02 Dec 2015 20:51:21 GMT

I need to generate a report showing X entries for each type of Windows event code I have. The report would look something like:

Event Code: X (say 4624 for example)

<most recent event with an Event Code of 4624>
<second most recent event and Event Code of 4624>
<<n> most recent event with an Event Code of 4624> where <n> is equal to X above (say 10 for example)

Event Code: Y (say 4625 for example)

<most recent event with an Event Code of 4624>
<second most recent event and Event Code of 4624>
<<n> most recent event with an Event Code of 4624> where <n> is equal to X above (say 10 for example)

Re: How do I generate a report listing x sample events for each Windows event code?

sundareshr — Wed, 02 Dec 2015 22:31:13 GMT

Like this

| streamstats count by EventCode | stats count list(Message) by EventCode | where count <= 5

Re: How do I generate a report listing x sample events for each Windows event code?

vhaabqdeltoj — Thu, 03 Dec 2015 14:20:43 GMT

Thank you. That was very helpful but it left me with one little perplexing problem. During the search, it displays the EventCode and the messages. It looks perfect. Then it gets to "finalizing search". When the search become final, it erases the display and says "no results found". There are events and I could see the results as it was building the search. Any ideas why this happens?