How do you query an application log for multiple event codes and then organize them in a report based on what codes were seen?
I'm searching 40+ server application logs for backup exec codes and based upon success (34112 or 57755) or failure (34113 or 34114) Output the count to either a success or failure column organized by host name.
I know a way (though probably not the best way) to do either a success or failure, but not how to combine.
What I've got so far is
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR 34112 | stats count by tag, host | rename count as Success
It works, but is only looking for instances when thing went correctly.
Can you use the eval command to set a new Success/Failure field?
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome
(Edit: minor fixes to the EventCode search and eval portions.)
Thank you very much!
Both of those queries worked perfectly if differently.
Can you use the eval command to set a new Success/Failure field?
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome
(Edit: minor fixes to the EventCode search and eval portions.)
Thanks lukejadamec - I've update the example.
You can append the failure code data:
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 | stats count by tag, host | rename count as Success |append [search index=main sourcetype="WMI:WinEventLog:Application" EventCode=34113 OR EventCode=34114| stats count by tag, host | rename count as Failure]
I don't use sub-searches so I always forget their usefulness.