Source Names

Event Monitoring - Windows

Event Host eventtype=wineventlog_index_windows eventtype="wineventlog_common" source="*inEventLog:$LogName$" TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" "$event.additional$"| eval Host=if(isnull(Host), upper(host), upper(Host)) | fields Host | mvexpand Host | dedup Host | table Host | sort Host Host Host All * * Log Name All eventtype=wineventlog_index_windows eventtype="wineventlog_common" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" "$event.additional$" | fields LogName | mvexpand LogName | dedup LogName | table LogName | sort LogName LogName LogName * * Source Name All eventtype=wineventlog_index_windows eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" EventCode="$EventCode$" Type="$Type$" "$event.additional$" | fields SourceName | mvexpand SourceName | dedup SourceName | table SourceName | sort SourceName SourceName SourceName * * Task Category All eventtype=wineventlog_index_windows eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" "$event.additional$" | fields TaskCategory | mvexpand TaskCategory | dedup TaskCategory | table TaskCategory | sort TaskCategory TaskCategory TaskCategory * Event Code All eventtype=wineventlog_index_windows eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" Type="$Type$" "$event.additional$" | fields EventCode | mvexpand EventCode | dedup EventCode | table EventCode | sort EventCode EventCode EventCode * * All eventtype=wineventlog_index_windows eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" "$event.additional$" | fields Type | mvexpand Type | dedup Type | table Type | sort Type Type Type * * Additional Terms * -15m now

Source Names eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" "$event.additional$" | stats sparkline as "Trend", count by SourceName | sort -count $time.earliest$ $time.latest$

Task Categories eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" $event.additional$ | stats sparkline as "Trend", count by TaskCategory | sort -count $time.earliest$ $time.latest$

Hosts eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" $event.additional$ | stats sparkline as "Trend", count by host | sort -count $time.earliest$ $time.latest$

Event IDs eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" $event.additional$ | eval EventCodeDescription=if(isnull(EventCodeDescription), mvindex(split(Message, "."), 0), EventCodeDescription) | stats sparkline as "Trend", count by EventCode, EventCodeDescription | sort -count $time.earliest$ $time.latest$

Event Count By Hosts - Over Time eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" $event.additional$ | timechart span=1m count by host $time.earliest$ $time.latest$ Event Count By Event Code - Over Time eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" $event.additional$ | timechart span=1m count by EventCode $time.earliest$ $time.latest$ Event Counts By Log Name - Over Time eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" $event.additional$ | timechart span=1m count by LogName $time.earliest$ $time.latest$ Event Counts By Type - Over Time eventtype="wineventlog_common" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" $event.additional$ | timechart span=1m count by Type $time.earliest$ $time.latest$

More reports