hi
I use two request which normally have to count the same number of events
the first is :
| eventtype=Periph
| dedup host
| stats count
For these one I have 106 events
the second is :
For this one I have less events
I think it's due to the fact that when i execute the query some lines are empty or sometimes there is the build and not the OS and sometimes there is the OS and not the build (see attachment)
eventtype=Periph OR eventtype=OSBuild
| eval OS=if(key_path=="\registry\machine\software\wow6432node\x\master\WindowsVersion",data, null),
Build=if(key_path=="\registry\machine\software\microsoft\windows nt\currentversion\ReleaseId",data,null)
| stats values(OS) as OS values(Build) as Build by host
| stats dc(host) as host by OS, Bu
ild
| sort -OS, Build limit=5
So what I have to do in order to have the same stats count in the second query that in the first query please???
