hi
I use two request which normally have to count the same number of events
the first is :
| eventtype=Periph
| dedup host
| stats count
For these one I have 106 events
the second is :
For this one I have less events
I think it's due to the fact that when i execute the query some lines are empty or sometimes there is the build and not the OS and sometimes there is the OS and not the build (see attachment)
eventtype=Periph OR eventtype=OSBuild
| eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null)
| stats values(OS) as OS values(Build) as Build by host
| stats dc(host) as host by OS, Bu![alt text][1]ild
| sort -OS, Build limit=5
So what I have to do in order to have the same stats count in the second query that in the first query please???
[1]: /storage/temp/267618-build.png
↧