Hello all,
I need some assistance using the search below to produce a timechart of the number of events per day for the last 90 days.
index=wineventlog source="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" EventCode=25
| search Source_Network_Address="*" ComputerName="*" User="*"
| eval "Source IP" = coalesce(Source_Network_Address,"")
| eval clientip=Source_Network_Address | sort- _time
| iplocation "Source IP" | where isnotnull(lat)
| streamstats current=f global=f window=1 first(lat) as next_lat first(lon) as next_lon first(_time) as next_time first(clientip) as next_ip first(Country) as next_country first(Region) as next_region by User
| strcat lat "," lon pointA
| haversine originField=pointA units=mi inputFieldLat=next_lat inputFieldLon=next_lon outputField=distance_miles
|strcat next_lat "," next_lon pointB |eval time_dif=(((next_time - _time)/60)/60), distance_miles=round(distance_miles, 2), time_dif=round(time_dif, 2)
| timechart span=1d count
sorry I forgot to mention I tried that and it only returns the number of events for the most recent day. If I remove the majority of the evals and customization adding that timechart works just fine.
I was able to resolve this but had to completely alter my search