Has anyone been able to figure out how to search indexed XmlWinEventLog sourcetype sample logs in the Ingest Action GUI? The actual search being used uses the |where command which seems to be the issue.
index=* OR index=_* sourcetype="XmlWinEventLog"
| where sourcetype="XmlWinEventLog"
| head 100
... View more