I find that the logs are not pointing to the right source/sourcetype. Logs are going to source= WinEventLog:Application and sourcetype="WinEventLog" instead of source="WinEventLog:Security" sourcetype="WinEventLog:Security".
Can someone help me fix this to get the right source/sourcetype
index=*_windows
(sourcetype="WinEventLog:Security" OR source="WinEventLog:Security") EventCode=1102 OR EventCode=517 Message="The audit log was cleared*"
| bucket span=1h _time
| stats count by _time, user, ComputerName, signature, index
| eval index=case(index="***_appliances","***_appliances",index="***_windows","***_windows",index="***_linux","***_linux",1=1,index)
| eval AF="0007"
| lookup ****_Thresholds.csv index AF OUTPUT Threshold ID Sev
| fillnull value="UNKNOWN" ID
| fillnull value=9999999 Threshold
| where count>Threshold
| fields - index AF
... View more