in the last days I'm trying to learn and understand the principles of LISPY to understand the fllowing phenomenon. By now I can tell that I've learned a lot but still can't comprehend the behaviour of Splunk putting its LISPY queries together.
I understand what is happening here so far, but now we have a strange behaviour whie running SPL on the data where we used the fields "index", "source" and "CategoryString". "CategoryString" comes as output fromthe automatic lookup. That was when i took a closer look at the LISPY and was able to locate the problem:
[ AND defender index::indexname microsoft windows [ OR action source::*wineventlog:microsoft-windows-windows\ defender/operational ] ]
As far as I understand the string "action" is not found in tsidx file as it is returned as a field value from a automatic lookup and that's why our first LISPY does not provide any data and the SPL gives back 0 results. In the second SPL where we used SourceName (not indexed) instead of Source (indexed) the LISPY looked different and worked as the string "action" is now in OR-clause and not in the AND-clause at the beginning...
My questions now are:
As I'm a very curious guy, can someone explain this behaviour to me?
What would / could be a good way or workaround to "fix" this so that the field "source" and "CategoryString" can be used together?