This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need
1 |
source=wineventlog:application |
1 |
source=wineventlog:security |
1 |
source=wineventlog:system |
1 |
host="*" source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message |