Basically I have this relevance which looks for event IDs 4226 which are warnings (I’m not actually looking for these, I just don’t happen to have the right eventlog entries on my machine and so am looking for some dummy numbers)
(times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string
This then returns the times for each entry. Now from that I actually want to find are the following
maximum of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string
and a
number of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string
without just joining these two long queries.
I thought this would do it
(maximum of it, number of it) of times generated of records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log
but clearly not.
I’m fairly sure I’m missing something obvious. Anyone point me in the right direction?
This is a great question. You are not missing anything easy or obvious. While not being the most efficient solution, sticking the two separate statements together is the way to go.
(maximum of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string, number of it of (times generated of (records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log)) as string)
The reason for this is that when you use IT without a WHOSE to reference a list, IT iterates through the list one item at a time and performs the operation(s) on each item individually. In most cases this is the desired behavior. You can use IT to correlate separate pieces of information about each item in your list and have the information remained “joined” together in a new list.
In our case, the trouble is that creation methods like
maximum of
and
number of
want to operate on an entire list rather than the individual elements of a list. So you cannot use IT substitution because IT will break your list into its pieces.
This is why
(maximum of it, number of it) of times generated of records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log
does not error out, but is functionally equivalent to this:
(it, 1) of times generated of records whose (event id of it mod 2147483648 mod 1073741824 = 4226 and event type of it = warning event log event type) of system event log
As IT runs thought the list, each element will be its own maximum and the number of each item on the list is 1.