Can someone help with this question? Thank you!
When you look under Available Fields you will find a slew of fields labeled data.win.“something”.“something more”.“other stuff”. We are looking for the two most numerous “something”.
The following appears to be the popular fields: data.win.eventdata.failureReason, data.win.eventdata.subjectUserName, data.win.system.message, and data.win.system.severityvalue. When I enter any two of these they don’t answer the question.
We are just looking for the first subcategory following data.win. The answers are in your post.
I have tried these combination, (data.win.eventdata data.win.system) , (eventdata system) . I am still missing the acceptable formatting.
We don’t need the data.win part in the answer.
Got it! Thank you for taking the time to help.
1 Like