HI,
We have an app called Splunk App for Windows Infrastructure which is all defined. when we choose Windows and then event monitoring from the Apps bar we get options for type, source name, event code etc. when we open the hosts event monitoring in a search we get the search as eventtype="wineventlog_common" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="*" Type="Error" * | stats sparkline as "Trend", count by host | sort -count
but this doesn't supply what i actually want. I want to get the top 5 servers giving the most errors and warnings from their event logs application and system within the last say 30 mins or realtime with the rate of change happening. but im puzzled as to how i get to this. i have run the
index=win*
| head 1000 which displays all my event log info form my servers.
... View more