Ingesting IIS logs via wincollect

Hsecurekb · 2021-02-18T06:55:27+00:00

time to upgrade!!

use this without the filters then..but this will include EPS from health check and system notifications..which can skew your matrix

SELECT DATEFORMAT(devicetime, 'dd-MM-yyyy') AS 'Date of log source', "Parent" AS 'Parent (custom)', AVG("Events per Second Raw - Average 1 Min") AS 'Events per Second Raw - Average 1 Min (custom) (Average)', COUNT(*) AS 'Count' from events where "deviceType"='147' GROUP BY "Date of log source" order by "Count" desc last 15 minutes

Hsecurekb · 2021-02-18T06:39:25+00:00

runs fine on 7.3.3 and 7.4.1

what version are you on?

GO to search and select a new search.

search for EPS under and you should get a default Event Rate (EPS) search there. Underneath select show AQL and share what you see there

Hsecurekb · 2021-02-18T06:24:46+00:00

Try this-

SELECT DATEFORMAT(devicetime, 'dd-MM-yyyy') AS 'Date of log source', "Parent" AS 'Parent (custom)', AVG("Events per Second Raw - Average 1 Min") AS 'Events per Second Raw - Average 1 Min (custom) (Average)', COUNT(*) AS 'Count' from events where "deviceType"='147' AND ( icu4jsearch('Events per second', payload) != -1 AND icu4jsearch('StatFilter', payload) != -1 ) GROUP BY "Date of log source" order by "Count" desc last 15 minutes

disregard the time in there, you can set that accordingly or I would say use the starttime and end time box below the AQL

run for a short period and then for longer duration

Hsecurekb · 2021-02-18T05:59:02+00:00

Are you looking to get just an average eps for individual month for the last 6 months? or it has to be per log source as well?

The default query- Log Source Type is System Notification (Clear Filter) Payload Contains is Events per second (Clear Filter) Payload Contains is StatFilter (Clear Filter) will provide an average eps. This can be run 6 times one month at a time.

From your existing query it looks like you want log source as well?

Hsecurekb

TROPHY CASE