hello,
In my dashboard, i use 5 different values from the search below:
index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode
index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information
| dedup _time
| stats count(EventCode) as ErrorCode
index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode
index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode
index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur
| dedup _time
| stats count(EventCode) as ErrorCode
Is it possible to combine these 5 search into a single report in order to be able to execute a single | loadjob
command from my dashboard?
Thanks
I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.
Option 1:
| multisearch
[search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
[search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
[search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
[search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
[search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode
Option 2:
index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode
Option 3:
Set tokens for each search separately, then, in a separate search, do the following:
| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode
I think you have a few options. The way you have written your code so far it it looks like you are just looking for a total count of errors that match any of these 5 search criteria. If that's the case, any of the below should work. If not, then the below options will have to be adjusted for whatever you're trying to do, but that part was not explained in your question.
Option 1:
| multisearch
[search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur]
[search index="windows" sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information]
[search index="windows" sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur]
[search index="windows" sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur]
[search index="windows" sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur]
| dedup _time sourcetype EventCode
| stats count as ErrorCode
Option 2:
index="windows" (sourcetype="wineventlog:Application" "SourceName=Application Error" EventCode=1000 Type=Erreur) OR (sourcetype="wineventlog:Application" "SourceName=Windows Error Reporting" EventCode=1001 Type=information) OR (sourcetype="wineventlog:Application" "SourceName=Application Hang" EventCode=1002 Type=Erreur) OR (sourcetype="wineventlog:System" "SourceName=Microsoft-Windows-WER-SystemErrorReporting" EventCode=1001 Type=Erreur) OR (sourcetype="wineventlog:Security" "SourceName=Wired-AutoConfig" EventCode=15514 Type=Erreur)
| dedup _time sourcetype EventCode
| stats count as ErrorCode
Option 3:
Set tokens for each search separately, then, in a separate search, do the following:
| loadjob $search1$
| append [|loadjob $search2$]
| append [|loadjob $search3$]
| append [|loadjob $search4$]
| append [|loadjob $search5$]
| stats sum(ErrorCode) as ErrorCode
Hello @jip31
Not sure about using loadjob, I think it is not possible with loadjob.
I would suggest to use a macro which can help you out In the above case.
Thanks!
sorry but i dont understand
i need to update events directly from my report and not from my dashboard
to my mind a macro is going to execute the search from the dashboard no?
and how is it possible to create a single macro for these 5 search??