index="ai-wkst-wineventlog-fr" sourcetype="XmlWinEventLog" source="XmlWinEventLog:Application" 
(Level=1 OR Level=3)   Name="$process$" | rex field=EventData_Xml "(?<message>[^\r\n:]+)\s:\s*ProgID\s:\s(?<ProgID>[^\r\n]+)" 

| search host=$tok_filterhost$ 
| search EventCode=$tok_filtereventcode$ 

| dedup _time Name 
| append 
    [ search earliest=0 index="ai-wkst-windows-fr" 
sourcetype=WinRegistry key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" 
    
| stats latest(data) as OS by host ] 
| eventstats values(OS) as OS by host 
| table _time host Name Level EventCode OS message ProgID

| rename Name as Application
|search Application=*
| sort -_time