topic How to correlate log collection with specific Windows eventcode? in Reporting

How to correlate log collection with specific Windows eventcode?

nicolsa — Thu, 27 Aug 2020 21:11:48 GMT

Hello,

I'm trying to find a search to correlate (graph overlay) log collect with specific windows eventcode (4608 for windows is starting up ; 6005 :The event log service was started 6006 The Event log service was stopped)

like this

host=machine | timechart count by host

and the other part would be

host=machine EventCode=4608 OR EventCode=6005 OR EventCode=6006 | timechart count by EventCode

I'm a little bit lost with appendcols /append/ join ...

How can I do this? Thank you for your help

Re: correlate log collection with specific windows eventcode

richgalloway — Thu, 27 Aug 2020 18:22:01 GMT

What is the desired output?

Re: correlate log collection with specific windows eventcode

thambisetty — Thu, 27 Aug 2020 19:12:07 GMT

I believe the below search you shared should give you what you are expecting.

<p>host=machine EventCode=4608 OR EventCode=6005 OR EventCode=6006 | timechart count by EventCode</p>

Re: correlate log collection with specific windows eventcode

nicolsa — Thu, 27 Aug 2020 19:20:05 GMT

I'm searching to have a chart overlay. A curve representing the log collection (log event count) of the universal forwarder machine, and a column chart for windows eventcode for the same universal forwarder. the x-axis would be _time

Re: correlate log collection with specific windows eventcode

thambisetty — Thu, 27 Aug 2020 19:23:30 GMT

host=machine EventCode=4608 OR EventCode=6005 OR EventCode=6006 | chart count over _time by EventCode

click on visualization format option go to y-axis choose count as chart overlay.