$execution$ $host$ $user$ |eval moresearch=if(execution=index=index1,"",($authentication$) OR ($configuration$) OR ($EventType$))| search AND moresearch
However, every time I issue this search it returns an error that the eval is malformed and expecting ).
In this case let's assume that index1 is signified by Powershell in the attached graphic
Any suggestions are greatly appreciated.
Thanks!
Dustin
Ver: 6.3.8
[1]: /storage/temp/218583-server-timelineexample.png
↧