hello
I use the request below for retrieving some information from the Windows event viewer but in my dashboard, I need to aggregate other information from another sourcetype.
This sourcetype comes from another sourcetype ([WinHostMon://computer]] or from WMI.conf ([WMI:Computer])
My question is. how to aggregate data in my SPL command for these 2 cases?
Thanks
index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement"
| dedup host
| stats count
| rename count AS "Number of machines"
| eventstats sum(count) as Total
| eval percent=round((count/Total)*100,1)
| eval host=host."(count: ".count.", percent: ".percent.")"
| fields - count Total
index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement"
| dedup host
| stats count
| rename count AS "Number of machines"
| eventstats sum(count) as Total
| eval percent=round((count/Total)*100,1)
| eval host=host."(count: ".count.", percent: ".percent.")"
| fields - count Total
index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement"
| dedup host
| stats count
| rename count AS "Number of machines"
| eventstats sum(count) as Total
| eval percent=round((count/Total)*100,1)
| eval host=host."(count: ".count.", percent: ".percent.")"
| fields - count Total
We formatted your code so it was easier to see the three queries.
... View more