I am monitoring Windows Event Logs and need to query based on the event_data_process name of c:\some\path\executable.exe.
When I search for that exact path, with or without quotes, I get zero results though I have a multitude of events with that process name in them.
@poisedforflight
I take it event_data_ProcessName is the field your searching, and in the field is you have path to the exe.
Have you tried to execute “Show top values” for the field event_data_ProcessName?
For an example, I created a filed called “service”.
Shown below would be all the data in that field for a day. I believe this would give you a better over view. If your data you want is not shown I would check on you client side to see if its working.
It would help more if we had the details of your Graylog setup. Also what are you using to ship your logs (i.e. NXlog, beats, etc…)?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
