hi
I use the code below in order to count some events from 3 fields:
(LogName SourceName Type )
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats count by LogName SourceName Type | rename LogName as EventViewer_Source | sort -count
Now I want to sum the different counts I have with the code above by LogName and by Type
I tried to do this but .....
index="windows" (sourcetype="wineventlog:application" OR sourcetype="wineventlog:security" OR sourcetype="wineventlog:system" Type="Critique" OR Type="Avertissement") | stats sum(count) as Total by LogName, Type
Thanks
↧