I will add that most license alerts of >90% are useless without some kind of prediction, as once you hit that point it's usually too late unless you shut off the majority of your logging for the rest of the day. That's why I decided to use a search like this, that will notify me earlier in the day that I've got a unusual spike and that at the current rate I'll exceed the license... It's invaluable even if you have a no-enforcement license, to help notify you of errant hosts (or even large groups of hosts) sending more data than usual. Something more efficient could be written to look at events per second averages or something, but this does the job. ... View more

Hah! that is all @martin_mueller with only slight tweaks for my own purposes as an alert... I take no credit! ... View more

I realize this is an old question - but I just had success filtering Windows Applocker event logs that have renderXml = true set, just by using the key's listed under the "Event Log whitelist and blacklist formats" listed [props.conf] docs1 In my case I wanted to filter out Applocker events where the file was allowed (to help us reduce license usage, because moving to XML increased the event size by 3 times on average). I tried several things, but finally just attempted the standard blacklist = EventCode="8002" and it worked! So it would seem that the whitelist and blacklisting is still done on the plain text version of the event, not the XML one that actually gets forwarded down the pipeline. Hope this helps! ... View more

Hey did you ever get this figured out? Don't want to reinvent the wheel and I would like to get field extraction working for these logs as well. ... View more