Hello
I use the code below.
I'm doing an outputlookup at the end of the query, but I want to do it with a condition.
The condition is that Build=1511.
Do i have to use a where command or there is another solution please??
eventtype="AppliEV" Level=*
| dedup host
| stats count by host
| append
[ search index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\xx"
OR
key_path="\\registry\\machine\\xx"
| eval OS=if(key_path=="\\registry\\machine\\software\\xx),
Build=if(key_path=="\\registry\\machine\\software\\xx)
| stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build host | fields - host | outputlookup build.csv
Hi!
You can use a where
command in this way:
...
| stats count as Total by OS Build host
| fields - host
| appendpipe
[where Build="1511"
| outputlookup override_if_empty=f build.csv
| where nofield="novalue"]
It helps to avoid overriding build.csv with empty file in case of Build is not 1511.
Hi!
You can use a where
command in this way:
...
| stats count as Total by OS Build host
| fields - host
| appendpipe
[where Build="1511"
| outputlookup override_if_empty=f build.csv
| where nofield="novalue"]
It helps to avoid overriding build.csv with empty file in case of Build is not 1511.
This is awesome! Thank you.
many thanks