Hey Guys, I am struggling arround a few days now, but I cant find a good/efficient solution for my problem. I want to check 3 different windows event-ids (for example 1,2 and 3), where 2 of them the third precedes. This is no problem at all, but my scheduled search should look for event-id 3 within a timerange of 25 minutes. The problem is now, that the preceding event-id (1,2) could occur within a timerange of 10h BEFORE the event-id 3. If there are not such preceding events, a alarm should be triggered. I could let the search run for the last 10 hours, but I think there will be many false alarms. In short: - check for event-id 3 within -20m@m and -1m@m - check for every found event-id 3 whether there are preceding event-ids 1 OR 2 within the last 10h At the moment I am doing so: | tstats summariesonly=true allow_old_summaries=true count AS eventCount_3 from datamodel=Windows
...
| join type=left user [| tstats summariesonly=true allow_old_summaries=true count AS eventCount_1 from datamodel=Windows
...
| join type=left user [| tstats summariesonly=true allow_old_summaries=true count AS eventCount_2 from datamodel=Windows
...
| eval goodAuth=if((eventCount_1>=1 OR eventCount_2>=1),1,0) Unfortunately the "earliest" and "latest"-Statement will not work with "tstats summariesonly". I hope you understand my problem. Best Regards, Tim
... View more