I have a query which is using streamstats, eventstats, stats, and transaction (trying to achieve brute force attack logic). It displays the search results when I give the proper date range (from 05/12/2020 at 17:30:00 to 05/12/2020 at 17:35:00 which is just 5 mins). But the same search doesn't provide me with the same search result but produces another search result when the date range is given like from 05/12/2020 at 17:20:00 to 05/12/2020 at 17:45:00 which is near to 25 mins.
Please let me know why this happens?
Query used is.
index=wineventlog_sec* tag=authentication (action=success OR action=failure)
| table _time user dest EventCode action
| sort 0 user _time dest
| streamstats count as attempts by action user dest reset_on_change=true
| streamstats count(eval(attempts=1)) as sessions by user dest
| eventstats count as max_attempts by sessions user dest
| eval success_session=(sessions-1)
| eventstats max(eval(case(match(action,"failure") AND attempts=1 AND max_attempts>50 ,_time))) as lastFailed max(eval(case(match(action,"success") AND attempts=1,_time))) as lastSuccess by action user dest success_session
| search attempts=1
| transaction user dest maxspan=1m maxevents=2
| search lastFailed=* AND lastSuccess=*
... View more