Something like the following should work, where you pull in both sets of information, create a joining field, and aggregate with a stats field. Make sure to run this over a finite enough time frame that you won't be pulling in multiple sources of information, else you'll have to add a bin statement to bucket time in a way that makes sense for what you're trying to do:
index=wineventlog (EventType=4 EventCode=12 OR EventCode=13) OR (EventCode=1100 ComputerName!=HD* ComputerName!=HL*)
| eval host=coalesce(host, ComputerName) # assumption made here that ComputerName and host represent the same values
| eval EventTypeFromOS=if(EventType IN (4, 12, 13), 1, 0)
| eval EventTypeFromLoggingService=if(EventType=1100, 1, 0)
| stats values(EventTypeFromOS) as EventTypeFromOS, values(EventTypeFromLoggingService) as EventTypeFromLoggingService by host
|search EventTypeFromLoggingService=1 AND EventTypeFromOS=0
At a high level, this pulls in both events, creates a host field which is the coalesced field of host and ComputerName which I assume represent the same value, if not, change it to one that does, create a verbose field that represents if the event is from the first set of logs or the second, take the values of that by host (the field we created), and search for where loggingservice is not null and OS log is null (meaning it's an issue on one end and not the other).
Hope this helps
... View more