This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need source=wineventlog:application source=wineventlog:security source=wineventlog:system host=”*” source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message
