Hi @apomona, the question is: on how many servers do you want to check if the above EventCode isn't present? or, in othe words, have you a monitoring perimeter? if yes, put it in a lookup (called ...
See more...
Hi @apomona, the question is: on how many servers do you want to check if the above EventCode isn't present? or, in othe words, have you a monitoring perimeter? if yes, put it in a lookup (called e.g. perimeter.csv) containing at least one column (called host), and then run a search like this: | index=wineventlog sourcetype=xmlwineventlog EventCode=4776
| stats count BY host
| append [
| inputlookup
| eval count=0
| fields host count
]
| stats sum(count) AS total BY host
| where total=0 if you haven't a perimeter and you're sure that at least in the last hour you received at least one event with this EventCode, you could try: | index=wineventlog sourcetype=xmlwineventlog EventCode=4776 earliest=-60m@m latest=@m
| eval period=if(_time>now()-3600,"Last","Previous")
| stats
dc(period) AS period_count
values(period) AS period
latest(_time) AS _time
BY host
| where period_count=1 AND period="Previous" I prefer the first solution because gives you more control: using the second one, you check only hosts in tha last hour. About the second question, avoid to use Real Time alerts because a Real Time search takes a CPU and doesn't release never! It's alway better to run a scheduled search (e.g. every 5 minutes), choose the frequency more adapt to your requirements. About the condition, using my solution you can trigger the alert when you have results (results>0). Ciao. Giuseppe