Is it possible to combine these two search result...

jimmerb83 · ‎10-26-2017

I have two very different search queries that I am having a hard time combining into one search.

Search 1 yields results if the indexer hasn't received any data from the server's universal forwarder in over 5 minutes:

Search 2 ingests the Windows Update Logs (C:\Windows\WindowsUpdate.log) and searches for the log entry "AU initiates service shutdown" which is generated when the server is shut down gracefully:

host=WinServer1 "AU initiates service shutdown"

The purpose of combining these searches is to create two alerts: One that will indicate the server has been shut down gracefully and another if the server has experience a hard shutdown.

For example, if the server has a graceful shutdown, the search terms would be combined as: Search 1 AND Search 2.

If the server has a hard shutdown, the search terms would be combined as: Search 1 NOT Search 2.

I am unable to find the right way to use boolean operators to combine these 2 searches, and am not sure if it would be even possible considering they are both looking for very different data. Any help is greatly appreciated.

DalJeanis · ‎10-26-2017

Try something like this...

(your search 1)
OR (your search 2)
| fields host lastTime   whatever you want to see from either search
| where (test for search 1 AND now()-lastTime>=300) OR (test for search 2)
| eval shutdown = case(test for search 2,"Graceful")
| stats values(*) as * by host
| eval shutdown = coalesce(shutdown,"Hard")

Is it possible to combine these two search results to create 1 alert?

Re: Is it possible to combine these two search results to create 1 alert?