I have two very different search queries that I am having a hard time combining into one search.
Search 1 yields results if the indexer hasn't received any data from the server's universal forwarder in over 5 minutes:
| metadata type=hosts index=* | search host=WinServer1 | where now()-lastTime>=300 | table host lastTime | eval lastTime=strftime(lastTime, "%c")
Search 2 ingests the Windows Update Logs (C:\Windows\WindowsUpdate.log) and searches for the log entry "AU initiates service shutdown" which is generated when the server is shut down gracefully:
host=WinServer1 "AU initiates service shutdown"
The purpose of combining these searches is to create two alerts: One that will indicate the server has been shut down gracefully and another if the server has experience a hard shutdown.
For example, if the server has a graceful shutdown, the search terms would be combined as: Search 1 AND Search 2.
If the server has a hard shutdown, the search terms would be combined as: Search 1 NOT Search 2.
I am unable to find the right way to use boolean operators to combine these 2 searches, and am not sure if it would be even possible considering they are both looking for very different data. Any help is greatly appreciated.
↧