Hi,
Here is my search query;
index=* sourcetype="WMI:WinEventLog:Application" SourceName="Investran RS Word Processing Service" Message=* | table Message , SourceName _time |dedup _time |sort -_time
and this brings up ;
![alt text][1]
[1]: /storage/temp/217585-search.png
So what i am trying to do if possible is,calculate the average time between stop/start.and if that average is greater than lets say 10 mins only bring that results/messages
Thanks,
↧