The following search produces the expected result when querying the "Last 4 hours" timed period. However, the stats count for Important_Events actually decreases when querying the "Last 24 hours" time period. Can someone please explain why this occurs?
index="\*"
|stats count as Total_Events
|appendcols
[search (index="windows" source="WinEventLog:Security" EventCode="4624" Logon_Type="2" OR Logon_Type="7" OR Logon_Type="10")
OR
(index="windows" source="WinEventLog:Security" EventCode="4672" Account_Name="\*" NOT Account_Name="SYSTEM")
OR
(index="network")
| stats count as Important_Events]
| eval Important_Events_Percentage=(Important_Events/Total_Events)*100
| eval Unimportant_Events=Total_Events-Important_Events
| eval Unimportant_Events_Percentage=100-Important_Events_Percentage
| fields Unimportant_Events, Unimportant_Events_Percentage, Important_Events, Important_Events_Percentage
The crazy thing is that I can run the appended search by itself and return the appropriate result, regardless of which time period I search, but this won't allow me to evaluate the total event count of the parent search:
(index="windows" source="WinEventLog:Security" EventCode="4624" Logon_Type="2" OR Logon_Type="7" OR Logon_Type="10")
OR
(index="windows" source="WinEventLog:Security" EventCode="4672" Account_Name="*" NOT Account_Name="SYSTEM")
OR
(index="network")
| stats count
↧