I have a report that shows me the items installed on my systems for the prior day. the only problem is Monday as no one works on Sunday the report is always blank but should show for all day Friday and Saturday and Sunday. Mondays report should show for Friday and the weekend
Can i do this with the same search or do I have to create a new search?
index=ea sourcetype="*wineventlog:application" EventCode=11707 OR EventCode=11708 OR EventCode=11728 host!="*dev*" earliest=-1d@d latest=@d | eval date_wday = strftime(_time, "%A") | dedup _raw | rex field=Message "(?s)Product: (?<product_name>.*) --" | table _time date_wday host User product_name EventCode | eval status=case(EventCode == 11708, "Failed", EventCode == 11707, "Success", EventCode == 11728, "Success") | rename _time AS Time host AS Server product_name AS "Product Installed" status AS "Status" | convert timeformat="%m/%d/%Y - %H:%M:%S" ctime(Time) | fields Time Server User "Product Installed" Status EventCode