I’m trying to report on a generic Event id but filter with the decription of the Event.
So far I have the folloiwing relevance which returns all hanging applicaitons with the event id 1002. But I would prefer to filter by application for example 'Outlook.exe". If I had description contains “Outlook.exe” I appear to get a True or False and only some of the relevance below.
Any help appreciated. Thanks.
( time generated of it, description of it ) of items 1 of it whose ( time generated of item 1 of it = item 0 of it ) of ( maximum of times generated of records whose ( event id of it = 1002 ) of it, records whose ( event id of it = 1002 ) of it ) of application event log
q: ( time generated of it, description of it ) of items 1 of it whose ( time generated of item 1 of it = item 0 of it ) of ( maximum of times generated of records whose ( event id of it = 1002 AND description of it as lowercase contains “outlook.exe”) of it, records whose ( event id of it = 1002 AND description of it as lowercase contains “outlook.exe”) of it ) of application event log
A: ( Mon, 02 Jun 2008 16:08:21 -0700 ), ( The program OUTLOOK.EXE version 12.0.6300.5000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: 2a8 Start Time: 01c8c36d0271915c Termination Time: 24 )
Be careful… this can be very long running relevance (30 sec+ on my computer) and so if it is a property, it should be evaluated infrequently.