If I run this query for last week, I get some counts:
sourcetype="WinEventLog:Security" (EventCode=4728 OR EventCode=632) host="*dcp*" | stats count
I get 926.
if I use that as the constraint for a data model, query that model for the count of events for last week, I get a different number (801)
How do I determine where my missing events are?
↧