Hi Tony, You can try forwarding those logs using syslogger. HEC is a valid option but the major drawback is the data loss in case of receiver (HF) down. ... View more

bin command needed another argument with _time but that did work | eval _time=strptime(Date, "%-m/%-d/%Y") | bin span=1mon _time | ... View more

Try moving the bin to before the eventstats and add a by _time to eventstats. index=network sourcetype=nessus severity!=informational signature=Windows OR signature=Adobe OR signature=Java OR signature_family="Windows : Microsoft Bulletins" OR signature_family="Red Hat Local Security Checks" OR signature="Google Chrome*" OR signature="Firefox*" OR signature="MS*" OR signature="Flash Player*" OR signature="Solaris*" | dedup dest_dns signature_id | bin span=1mon _time | eventstats dc(dest_dns) as TotalDNS by _time | stats sum(cvss_base_score) as TotalScore max(TotalDNS) as TotalDNS by _time | eval "Avg Host Patch Score"=TotalScore/TotalDNS ... View more

You could do it this way: sourcetype=wineventlog* |stats values(EventCode) by ComputerName |rename values(EventCode) AS eventCodeList |search (eventCodeList=1002 AND eventCodeList=1004 AND eventCodeList=1006) Basically I am pulling the values in the EventCode and grouping by ComputerName, I rename that field and then I do a subsearch for those 3 values in my initial result set. Depending on what you want the final result to look like, you may want to think about time frame, sequence of event codes and if you want to narrow your initial search to a smaller event code population to streamline the initial search. That said, hopefully this gets you on your way. ... View more

Was able to get it working perfectly. Thanks again for all of your help sundareshr. ... View more

The transaction on MID isn't enough, because the different models of ESA spawn new MID's and reference the original MID as "internal_message_id". Instead, a more complex union is required to accomplish the Ironport logs self-join. | union [ search index=ironport mid=* (message_size=* OR internal_message_id=* OR sender=* OR recipient=* OR subject=*) | eval message_size_mb=(message_size_mb/1024/1024) | fields mid, message_size_mb, internal_message_id, sender, recipient, subject, _time | stats min(_time) as _time values(*) as * by mid] [ search index=ironport file_name=* | rename mid as internal_message_id | stats min(_time) as _time values(file_name) as file_names by internal_message_id | fields internal_message_id file_names _time] | stats values(*) as * min(_time) as _time by internal_message_id | search mid=* message_size_mb=* | table _time, mid, internal_message_id, sender, subject, recipient, message_size_mb, file_names | collect index=ironport sourcetype=ironport:summary addtime=false This search will look at ironport logs in the index=ironport which have MID=* and other key values. Then using this as a union change the MID as internal_message_ID and search again for associated records. Finally, collect the data into a new sourcetype=ironport:summary and use the original data time for the summary to preserve the event's original time. Run this search as a scheduled search to populate email data either for a data model or to query directly on the new summarized information. ... View more