I did see that event code on listed as response to someone asking a previous question and after attempting to pipe it to our index it said "unknown search cmd '4657'". What is the proper syntax for searching eventcodes?

Hi @Chase ,

this is usually named EventCode on windows logs:

index=wineventlog EventCode=4657

beware to the field name that's case sensistive.

In addition, if possible try to avoid "All time" in your searches because it's a too expensive and long search.

Ciao.

Giuseppe

Your initial search can find all the events in your index (within the time constraints of the search) which have the string in

index=<your index> "4657"

Ok so after trying that string with my index and switching the time search to 'All time', (and got a ton of irrelevant hits, I opened one of the hits and found "EventID" had its own field. Just as a reference for anyone else looking at this issue later:

A search without that field option gives 5,800+ events. 99 is about what I expect from an index that started 8 days ago. Ty for the help

OK, so now you have learned that your data has fields which you can use to refine your search, as you have done. This is the sort of thing you need to understand about your data. Don't forget that, we can only provide answers based on the information you give us, although we can make educated guesses based on experience, but they may not always be correct.