hello
I use the request below for retrieving some information from the Windows event viewer but in my dashboard, I need to aggregate other information from another sourcetype.
This sourcetype comes from another sourcetype ([WinHostMon://computer]] or from WMI.conf ([WMI:Computer])
My question is. how to aggregate data in my SPL command for these 2 cases?
Thanks
index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement"
| dedup host
| stats count
| rename count AS "Number of machines"
| eventstats sum(count) as Total
| eval percent=round((count/Total)*100,1)
| eval host=host."(count: ".count.", percent: ".percent.")"
| fields - count Total
index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement"
| dedup host
| stats count
| rename count AS "Number of machines"
| eventstats sum(count) as Total
| eval percent=round((count/Total)*100,1)
| eval host=host."(count: ".count.", percent: ".percent.")"
| fields - count Total
index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement"
| dedup host
| stats count
| rename count AS "Number of machines"
| eventstats sum(count) as Total
| eval percent=round((count/Total)*100,1)
| eval host=host."(count: ".count.", percent: ".percent.")"
| fields - count Total
We formatted your code so it was easier to see the three queries.
We formatted your code so it was easier to see the three queries. However, they were identical. Please update to add the second query.
NOBODY FOR HELPING ME??
Your query is difficult to understand. It looks like it might be two or three searches run together. Can you please edit the question?
HI
sorry the exact request is :
index="wineventlog" sourcetype="wineventlog:" SourceName="" Type="Critique" OR Type="Avertissement" | dedup host | stats count | rename count AS "Number of machines" | eventstats sum(count) as Total | eval percent=round((count/Total)*100,1) | eval host=host."(count: ".count.", percent: ".percent.")" | fields - count
ok thanks
Did your query get mangled by the forum? It looks like it might be two queries stuck together.
BTW, for better performance, use stats dc(host)
instead of dedup host | stats count
.
Is there any common field present in all sourcetype?
no sorry...