Loki patterns and windows systemevents

fatcharly · January 24, 2022, 4:28pm

Hi,
I’m using grafana 8.3.3 on a CentOS 8 with a loki version 2.4.1 and a promtail version 2.4.1 on linux and fluent-bit on Windows-Server and it works quite nice. But when I try to query the windows system event from the loki with patterns, I’m running into a problem.When I try this query:
{job=“ServernameS62”} | pattern "<_>":<_>,"<_>":"<_>","<_>":"<_>","<eventid>":<eventiddata>,"<_>":<_>,"<eventtype>":"<eventtypedata>","<eventcategory>":<eventcategorydata>,"<_>" | eventiddata = “4624”

I’m not getting any data back, even when there is a 4624 systemevent. Do I use it the wrong way ?
Any suggestions are welcome
Kind regards

fatcharly

fatcharly · January 24, 2022, 5:36pm

Or is it possible to work with the detected fields grafana shows for the log ? In the Documentation is something mentioned about “_extracted” but I don’t know how to use it.

system · January 24, 2023, 5:37pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.