Hi Everyone,
I am looking for a way to create a dashboard that shows when a host event count hits 0. I was using the following query I took from another dashboard and tweaked a little bit:
“
$Event_Type = principal.hostname
$Date = timestamp.get_date(metadata.event_timestamp.seconds)
metadata.log_type = "WINEVTLOG"
match:
$Date, $Event_Type
outcome:
$Count = count(metadata.id)
condition:
$Count <= 1
order:
$Date asc
“
This give me values that shows when a value is less than or equal to 1. It shows over the last 7 days that there were day when the value was 0 but when I attempt to have it search for when $Count = 0 I dont get a result. I understand that is probably because the value does not exist so it cant pull back a null value, but is there a way to get this to pull when there is no value?