hi
I use the code below in order to count some events from 3 fields (LogName SourceName Type )
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats count by LogName SourceName Type | rename LogName as EventViewer_Source | sort -count
Now I want to sum the differents counts i have with the code above by LogName and by Type
I do this but .....
Thanks
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats sum(count) as Total by LogName, Type
↧