Event Log Relevance

(imported topic written by chenbr91)

Basically I have this relevance which looks for event IDs 4226 which are warnings (I’m not actually looking for these, I just don’t happen to have the right eventlog entries on my machine and so am looking for some dummy numbers)

(times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string

This then returns the times for each entry. Now from that I actually want to find are the following

maximum of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string

and a

number of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string

without just joining these two long queries.

I thought this would do it

(maximum of it, number of it) of times generated of records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log

but clearly not.

I’m fairly sure I’m missing something obvious. Anyone point me in the right direction?

(imported comment written by brolly3391)

Hello chenbr,

This is a great question. You are not missing anything easy or obvious. While not being the most efficient solution, sticking the two separate statements together is the way to go.

(maximum of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string, number of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string)

The reason for this is that when you use IT without a WHOSE to reference a list, IT iterates through the list one item at a time and performs the operation(s) on each item individually. In most cases this is the desired behavior. You can use IT to correlate separate pieces of information about each item in your list and have the information remained “joined” together in a new list.

In our case, the trouble is that creation methods like

maximum of

and

number of

want to operate on an entire list rather than the individual elements of a list. So you cannot use IT substitution because IT will break your list into its pieces.

This is why

(maximum of it, number of it) of times generated of records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log

does not error out, but is functionally equivalent to this:

(it, 1) of times generated of records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log

As IT runs thought the list, each element will be its own maximum and the number of each item on the list is 1.

Cheers,

Brolly

(imported comment written by chenbr91)

Thanks Brolly! much appreciated…