Hello
I use the code below in order to count the number of hosts by OS and by build. But, it doesn't work.
Could you help me please??
host=*
index="windows" sourcetype="wineventlog"
SourceName="*" Type="Critique" OR Type="*"
| dedup host
| stats count by host
| join host [search index=windows sourcetype=winregistry key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion"
OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
|eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null)
| stats values(data) as OS by host]
| stats count values(host) by OS, Build
| rename count as Total
| table OS Build Total
| sort -Total limit=10
Give this a try
host=*
index="windows" sourcetype="wineventlog" SourceName="*" Type="Critique" OR Type="*"
| dedup host
| stats count by host
| append [search index=windows sourcetype=winregistry key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion"
OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
|eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null)
| stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build
| sort -Total limit=10
i think
| stats count values(host) by OS, Build
is wrong..
try -
index=* | stats values(host) as HostCount by OS Build
Give this a try
host=*
index="windows" sourcetype="wineventlog" SourceName="*" Type="Critique" OR Type="*"
| dedup host
| stats count by host
| append [search index=windows sourcetype=winregistry key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion"
OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
|eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null)
| stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build
| sort -Total limit=10
thanks a lot it s perfect