I am relatively new Splunk Enterprise user. One of things I have been working on is tracking the load behavior, failure to load, boot time, ect... for a particularly troublesome Outlook Add-in my environment. I have a lot of the information from my search:
index=test source="WinEventLog Application" SourceName=Outlook EventCode=45 EventType=4 Name="Name of my Addin" earliest=-7d
However, I am having trouble finding out how to track the failures to load this particular addin. The event code displays ALL the addins that successfully loaded when the user launched Outlook, and I wanted to see when just one of these addins is failing.
I tried using a couple of different "where" statements, but I can't get it to display correctly. I have also tried comparing the list of the devices that have this add-in installed in relation to the number of devices that load Outlook but don't load the addin. Still some data descrepencies.
My question is basically if anyone has some experience tracking whether and Outlook addin successfully load or failed to load, and how you did it.