I want to get a list of all hosts not sending "WinEventLog:Security".
So index=wineventlog
, get list of hosts, remove any that have reported "WinEventLog:Security"
How can I do this?
|tstats count WHERE index=wineventlog groupby host sourcetype | chart sum(count) over host by sourcetype | addtotals | search Total>0 NOT WinEventLog:Security>1
I had to use the NOT WinEventLog:Security>1
as isnull
and =0
, ="0"
, and <1
all did not work.
|tstats count WHERE index=wineventlog groupby host sourcetype | chart sum(count) over host by sourcetype | addtotals | search Total>0 NOT WinEventLog:Security>1
I had to use the NOT WinEventLog:Security>1
as isnull
and =0
, ="0"
, and <1
all did not work.