https://community.splunk.com/t5/Splunk-Search/Confusing-in-Windows-Export-Certificate-Rule/m-p/697449#M236926 <P>"I only know in SPL we can't get result if write query with source in the first position"</P><P>It is not true. If you don't specify index conditions explicitly, Splunk uses default indexes for your user's role (which might be an empty set). Conditions in a search are _not_ positional.</P><P>OK, having that out of the way...</P><P>1) metasearch is an old command, rarely used nowadays since most use cases can be more effectively covered with other methods. In your case it would be</P><PRE>| tstats count where index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational")</PRE><P>2) Well, do you _have_ any data of this kind? If you haven't ingested it from the endpoint, you can't search from it. That's what the search result tells you. (I assume you're searching over decently wide time range and you have access to relevant indexes)</P> Tue, 27 Aug 2024 11:50:47 GMT PickleRick 2024-08-27T11:50:47Z https://community.splunk.com/t5/Splunk-Search/Confusing-in-Windows-Export-Certificate-Rule/m-p/697434#M236923 <P>According to&nbsp;<A href="https://research.splunk.com/endpoint/d8ddfa9b-b724-4df9-9dbe-f34cc0936714/" target="_blank" rel="noopener">Windows Export Certificate - Splunk Security Content</A>&nbsp;it using macros in the first query&nbsp;</P><PRE>`certificateservices_lifecycle` EventCode=1007 | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_export_certificate_filter`</PRE><P>&nbsp;</P><P>And in `certificateservices_lifecycle` macros is&nbsp;<SPAN>(source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zksvc_0-1724752713713.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32423i5E28F1FCDC76C02E/image-size/medium?v=v2&amp;px=400" role="button" title="zksvc_0-1724752713713.png" alt="zksvc_0-1724752713713.png" /></span></P><P>I only know in SPL we can't get result if write query with source in the first position, so i add index=* before&nbsp;`certificateservices_lifecycle` but unfortunately i don't get any result.<BR /><BR />Then i'm using metasearch for check it available or not with this query&nbsp;</P><PRE>First query :<BR />| metasearch index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational")<BR /><BR />Second query : <BR />| metasearch index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational")</PRE><P>&nbsp;</P><P>and then i only got 0 result.<BR /><BR />The question is if i want to get data from source="XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational" did i need setting it in Endpoints or can solved it in Splunk ?&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Tue, 27 Aug 2024 10:09:58 GMT https://community.splunk.com/t5/Splunk-Search/Confusing-in-Windows-Export-Certificate-Rule/m-p/697434#M236923 zksvc 2024-08-27T10:09:58Z https://community.splunk.com/t5/Splunk-Search/Confusing-in-Windows-Export-Certificate-Rule/m-p/697449#M236926 <P>"I only know in SPL we can't get result if write query with source in the first position"</P><P>It is not true. If you don't specify index conditions explicitly, Splunk uses default indexes for your user's role (which might be an empty set). Conditions in a search are _not_ positional.</P><P>OK, having that out of the way...</P><P>1) metasearch is an old command, rarely used nowadays since most use cases can be more effectively covered with other methods. In your case it would be</P><PRE>| tstats count where index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational")</PRE><P>2) Well, do you _have_ any data of this kind? If you haven't ingested it from the endpoint, you can't search from it. That's what the search result tells you. (I assume you're searching over decently wide time range and you have access to relevant indexes)</P> Tue, 27 Aug 2024 11:50:47 GMT https://community.splunk.com/t5/Splunk-Search/Confusing-in-Windows-Export-Certificate-Rule/m-p/697449#M236926 PickleRick 2024-08-27T11:50:47Z https://community.splunk.com/t5/Splunk-Search/Confusing-in-Windows-Export-Certificate-Rule/m-p/697465#M236932 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;<BR />Thanks for your reply, and knowledge about source can called in the first position.</P><P>Sorry i don't know that because in many case i got it always solved when i add index=* before the source.&nbsp;<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zksvc_0-1724764160097.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32426i3540F2CE7A5119A6/image-size/medium?v=v2&amp;px=400" role="button" title="zksvc_0-1724764160097.png" alt="zksvc_0-1724764160097.png" /></span></P><P>And with your query i only get 0 count, so i think it because my client don't ingest in the Endpoint.</P><P>Thankyou for your reply and your information.&nbsp;</P><P>Danke <span class="lia-unicode-emoji" title=":clinking_beer_mugs:">🍻</span></P> Tue, 27 Aug 2024 13:10:18 GMT https://community.splunk.com/t5/Splunk-Search/Confusing-in-Windows-Export-Certificate-Rule/m-p/697465#M236932 zksvc 2024-08-27T13:10:18Z