That's correct. Thank you for your help. I made the change per your recommendation and I think I'm set. You did a great job answering my questions and explaining in detail the correct search syntax. ... View more

The host reboots once a week and these EventCodes are generated as a consequence. EventCode=1100 is generated when the event logging service has shut down. This is anticipated since the workstation is shutting down. Upon the system booting back up, EventCode=4608 is generated. What I want to do is capture EventCode=1100 outside that reboot window. For some reason the EventCode=1100 and EventCode=4608 are not one to one, but there seems to be more EventCode=1100 than EventCode=4608 produced during the reboot process. EventCode=1100 happening outside that window would be suspicious as someone would have disabled event logging. That's when I want to be able to catch it and make the alert an actionable alert. ... View more

The interesting thing is that these "orphans" are taking place within the time frame of EventCode=1100 being followed by EventCode=4608. Is there a way to search for "orphans" outside that time range only? ... View more

To be clear, the original answer provided by @elliotproebstel does work. ... View more

If do the following search for the past four days and deliberately leave out "| where _txn_orphan=1" to see the total number of EventCode=1100, I get 5 results for EventCode=1100: index=wineventlog source="WinEventLog:Security" host=workstation1 ((EventCode=1100 body="The event logging service has shut down.") OR (EventCode=4608 ) ) | transaction startswith=eval(EventCode=1100) endswith=eval(EventCode=4608) maxspan=1m keeporphans=true | eval Time=strftime(_time, "%b %d %H:%M:%S") | table Time, EventCode, host,body,action | rename body to "Event Message", action to "Final Action", host to "Host Name", Time to "Time of Event" The following results of the above search show EventCode=1100 as an "orphan" five times: Time of Event EventCode Host Name Event Message Final Action Oct 22 23:02:07 1100 4608 WORKSTATION1 The event logging service has shut down. Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. stopped success Oct 22 23:02:07 1100 4608 WORKSTATION1 The event logging service has shut down. Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. stopped success Oct 22 23:02:07 1100 WORKSTATION1 The event logging service has shut down. stopped Oct 22 23:02:07 1100 WORKSTATION1 The event logging service has shut down. stopped Oct 22 23:02:07 1100 WORKSTATION1 The event logging service has shut down. stopped Oct 22 01:14:47 1100 4608 WORKSTATION1 The event logging service has shut down. Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. stopped success Oct 22 01:14:47 1100 WORKSTATION1 The event logging service has shut down. stopped Oct 21 01:14:37 1100 4608 WORKSTATION1 The event logging service has shut down. Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. stopped success Oct 21 01:14:37 1100 WORKSTATION1 The event logging service has shut down. stopped And, if I do the streamstats version of the search below, I get 7 results for EventCode=1100. index=wineventlog source="WinEventLog:Security" host=workstation1 ((EventCode=1100 body="The event logging service has shut down.") OR (EventCode=4608 ) ) | streamstats count BY host reset_after=(EventCode=1100) time_window=1m | search EventCode=1100 count=1 | eval Time=strftime(_time, "%b %d %H:%M:%S") | table Time, EventCode, host,body,action | rename body to "Event Message", action to "Final Action", host to "Host Name", Time to "Time of Event" I'm doing the search for the same time. Why are the results of the search different as far as the number of EventCode=1100 is concerned? ... View more

And, when I run the search suggested by Ravan, I get the following error: Error in 'rex' command: Encountered the following error while compiling the regex '^.*\__{1}(?P.*)\_\_': Regex: unrecognized character after (?P ... View more

I'm getting the following error when I run twinspop search: Error in 'rex' command: Encountered the following error while compiling the regex '\s(?:(?:search_id)|(?:sid))=[\'"]?(?<search_id>[^ \'",]+)': Regex: syntax error in subpattern name (missing terminator) ... View more