- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Longer Period of Time showing Fewer Results??
Hi,
I have a search which returns 37 results for one date (May 30), but 0 results for May 30-Jun2. I am failing to see in the search anything that should be using time or cancelling results from a longer search period.
The search is:
eventtype=mssql-audit class_type=U | lookup dm_audit_actions action_id OUTPUT name
| join host, session_id, server_principal_id [ search eventtype=mssql-audit class_type="*" succeeded="true" src_ip="*" | eval src_ip=if(src_ip=="local machine",host,src_ip) | stats values(src_ip) as src_ip by host,session_id,server_principal_id ]
So why does a search give me results for a period of time, but no results for "period of time" + a day?
Any suggestions would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you check if individual searches (main search and subsearch) are returning data, for the period May30-Jun02, independently? and have matching events so that join can be applied?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this to help diagnose your problem.
Apply a _time bucket within your query and do a |stats count by _time
| bucket _time span=24h | stats count by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I switched the span to 1h. There are events in the one day search that break down as expected by the hour. The one day + more days search still returns zero results.
