I performed this search
index=* source="WinEventLog:System" EventCode=3 host=jj1 | table host, _time, message
and get the following results:
jj1 2016-05-02 18:27:04 Service started.
jj1 2016-05-02 18:23:55 VMCI: Using capabilities (0xc).
I want to narrow this down with the following search
index=* source="WinEventLog:System" EventCode=3 host=jj1 _time>="2016-05-02 18:27:04" |table host, _time, Message
I receive no results. Please advise on how to make this work.
Many thanks.
↧