I am getting different results for the following two queries and I cannot understand why
(index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*mydomain
| eval acctN=mvindex(Account_Name,1)
| search acctN=*
| bin _time span=1d as date
| eval ComputerName=replace(ComputerName,".mydomain","")
| eval user=upper(acctN)
| eval domain=upper(TargetAccountDomain)
| stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type
| sort 0 user ComputerName
| search user=myID
| append [| inputlookup user_device_logon.csv | search user=myID]
| sort 0 user ComputerName
| eval earliest=strftime(earliest,"%F"), latest=strftime(latest,"%F")
This returns 20 items. But If I revers the order of the component searches:
| inputlookup user_device_logon.csv | search user=myID
| append
[ search (index=windows) EventCode IN (4624,4625,4648) TargetAccountName!="-" ComputerName=*mydomain
| eval acctN=mvindex(Account_Name,1)
| search acctN=*
| bin _time span=1d as date
| eval ComputerName=replace(ComputerName,".mydomain","")
| eval user=upper(acctN)
| eval domain=upper(TargetAccountDomain)
| stats values(EventCode) as EventCodes values(date) as DaysSeen earliest(_time) as earliest latest(_time) as latest by ComputerName user Logon_Type
| sort 0 user ComputerName
| search user=myID]
| sort 0 user ComputerName
| eval earliest=strftime(earliest,"%F"), latest=strftime(latest,"%F")
This returns 19 items.
If I run the two component searches separately, the lookup table returns 19 items and the windows event search returns 1 item.
The difference appears to be that the second search does not include the appended search results in the total results. What am I doing wrong here?
The second search is supposed to be better since the lookup table will get large and the appended search will usually be small. But it is not better if it prevents the windows search from returning data.
↧