The pipeline logic of this discrete math is kicking me hard today. I need to be able to find a list of laptops that are checking into inventory over the past 30 days from off-premise, but have not checked in from on-premise.
I have a working search that gathers my entire inventory and looks up the client's address and returns subnet_descriptions. From that search I get ~100 results; anything unknown comes back as NONE where NONE means that it was off-premise. With this it is very easy to | where subnet_description = "NONE" but these results include machines that also checked in from on-premise in the same 30 days.
I can | stats count by machinename and then | where count = 1 which would get me close, but it wouldn't tell me if that 1 location was also "NONE" and because stats truncates off the subnet_description, I cannot do a subsequent | where ...
I can | stats count by machinename subnet_description but the count is then based upon the two criteria together and one machine gets multiple lines and again I can only filter on one.
I need some ideas on how to get just the overlap in these searches and essentially do a | stats count(machinename) | where count machinename = 1 and subnet_description="NONE"
Any brain checks would be greatly appreciated.
