I want to have one report/search string which states how much data was indexed for particular eventcode say (EventCde=4668) in Windows Events logs in GB.
As we now we have license_usage.log for tracking the data, but here we don't have facility to break it down by any other event field.
I have the search below which says this how much data came from a particular sourcetype, but need to have that with EventCode.
index=_internal source="*license_usage.log" type=Usage idx=security st=WinEventLog:Security | eval TotalGB=round(b/1024/1024/1024,4)| table _time, TotalGB, st, idx
Can any one help me on this?
License usage is by bytes so you can just get it out of your data itself, like this:
index=* EventCode=4668 | b=len(_raw) | eval TotalGB=round(b/1024/1024/1024,4)| table _time, TotalGB, sourcetype index
It would be best to limit your index (and maybe sourcetype, too) to only those which might have EventCode fields.