My data looks like this:
{ [-]
computer_dns_name: computer.domain.com
computer_sid: 22264db9ce59cd8f10000000d
group_name: New
id: 14711
}
{ [-]
computer_dns_name: computer.domain.com
computer_sid: 22264db9ce59cd8f10000000d
group_name: Old
id: 14711
}
I am trying to find cases where the group_name has changed.
This query returns results:
computer_dns_name="*" id=14711
| transaction id
| eval group_count=mvcount(group_name)
| where group_count > 1
| table computer_dns_name, group_name
This one does not!
computer_dns_name="*"
| transaction id
| eval group_count=mvcount(group_name)
| where group_count > 1
| table computer_dns_name, group_name
I expected that removing the search term id=14711 would give me all of the changes. Coming from a SQL background I expect that removing restrictions will, if anything, give me more results.
... View more