I am pulling Windows event logs for software updates. There's a column for successRatio that is either Success or Failure as the result. I would like to append my event log search query to give me a total number of Success and total number of Failure. Bonus points if we can make it a numerical value on a dashboard. Here is my initial search query:
index=wineventlog sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?<KB>.\d+)\W" | eval successRatio=mvindex(split(Keywords,","),-1) | stats count by Date , host, package_title, KB , body , successRatio| sort host
This works great, but like I said, I'd like to have a total count of success and failures available in a report and a dashboard.
hey Try this
index=wineventlog sourcetype=WinEventLog:System EventCode=19
| eval Date=strftime(_time, "%Y/%m/%d")
| rex "\WKB(?<KB>.\d+)\W"
| eval successRatio=mvindex(split(Keywords,","),-1)
| stats count(eval(successRatio="Success")) as "Success_Count" count(eval(successRatio="Failure")) as "Failure_Count" by Date , host, package_title, KB , body
| sort host
let me know if this helps!
Hello there,
please try out this search:
index=wineventlog sourcetype=WinEventLog:System EventCode=19
| eval Date=strftime(_time, "%Y/%m/%d")
| rex "\WKB(?<KB>.\d+)\W"
| rex field=Keywords "\w+,\s+(?<status>\S+)"
| stats count(eval(status="Success")) as succeeded count(eval(status="Failure")) as failed
from here you can take it however you would like
hope it helps