@charlottelimcl Check this :- I have used makeresults command for dummy. | makeresults
| eval _raw="
_time,ComputerName,Account_Name,EventCode,Object_Name,Process_Name
2023-10-27 10:00:00,PC1...
See more...
@charlottelimcl Check this :- I have used makeresults command for dummy. | makeresults
| eval _raw="
_time,ComputerName,Account_Name,EventCode,Object_Name,Process_Name
2023-10-27 10:00:00,PC1,user1,4688,,/path/to/parent.exe
2023-10-27 10:00:01,PC1,user1,4663,/path/to/hello.exe,/path/to/welcome.exe
2023-10-27 10:01:00,PC2,user2,4688,,/path/to/another.exe
2023-10-27 10:01:02,PC2,user2,4663,/path/to/goodbye.exe,/path/to/start.exe
2023-10-27 10:02:00,PC3,user3,4688,,/path/to/third.exe
2023-10-27 10:02:03,PC3,user3,4663,/path/to/final.exe,/path/to/launch.exe
"
| multikv forceheader=1
| eval _time=strptime(_time,"%Y-%m-%d %H:%M:%S")
| stats
earliest(_time) AS _time
values(ComputerName) AS ComputerName
values(eval(if(EventCode=4663, Process_Name, ""))) AS New_Process_Name
values(eval(if(EventCode=4688, Process_Name, ""))) AS Initiating_Process_Name
values(eval(if(EventCode=4663, Object_Name, ""))) AS Object_Name
BY Account_Name
| table _time ComputerName Account_Name New_Process_Name Initiating_Process_Name Object_Name In this example: makeresults generates dummy events. eval creates the raw data with the necessary fields. multikv parses the raw data into individual fields. stats aggregates the data as per your requirements.