Hello,
I'm trying to find a search to correlate (graph overlay) log collect with specific windows eventcode (4608 for windows is starting up ; 6005 :The event log service was started 6006 The Event log service was stopped)
like this
host=machine | timechart count by host
and the other part would be
host=machine EventCode=4608 OR EventCode=6005 OR EventCode=6006 | timechart count by EventCode
I'm a little bit lost with appendcols /append/ join ...
How can I do this? Thank you for your help
I believe the below search you shared should give you what you are expecting.
<p>host=machine EventCode=4608 OR EventCode=6005 OR EventCode=6006 | timechart count by EventCode</p>
I'm searching to have a chart overlay. A curve representing the log collection (log event count) of the universal forwarder machine, and a column chart for windows eventcode for the same universal forwarder. the x-axis would be _time
host=machine EventCode=4608 OR EventCode=6005 OR EventCode=6006 | chart count over _time by EventCode
click on visualization format option go to y-axis choose count as chart overlay.