...ilename
but it seems like I should be using eventstats like
index=logs sourcetype=logs
| eventstats sum(Bytes) as TotalBytes by ip, filename, date_mday, date_month, date_year
| where T...
TL;DR What is wrong with the SPL at the end?
I am trying to list the IIS cs_user_Agent(s) for each test customer. The EventID field that is found in the SystemLog matches up with the IISEventId f...
...otal. A test search that I'm using to try and figure out where things are getting lost looks like this:
... | table account,usage
|eventstats sum(usage) as total
|eventstats sum(usage) as usage...
I get a series of unique sites sending through the size of Database. I would like to show the growth of their DB to see if it is growing too quickly.
I am currently doing this using streamstats an...
A customer asked to remove two monitored files, which I did today.
They asked -
-- Is there a way we can get the exact difference in data per file to see exactly how much reduction this change ...
...escriptor of XX2X , did the ticket get Resolved with the same descriptor.
I use eventstats to find the earliest ShortDescriptor and latest ShortDescriptor and then compare them.
I have this w...
...t a given time) I somewhat get that done with this search:
index=main EventCode=4624 | eval Account=mvindex(Account_Name,1) | eventstats dc(host) AS Logins by Account | where Logins > 1...