I have a script that runs againts Qualys vulnerability information and does a count of vulnerabilities by OS (a field generated by Qualys).

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: **OS="Windows*"** | where cidrmatch("10.128.0.0/9", IP) ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns.

When I use the wildcard OS="Windows*" I get a breakdown like the following:

Windows 7 Enterprise Service Pack 1 283 38624
Windows XP Service Pack 3 109 9973
Windows 8 Enterprise 153 1643
Windows XP 2 86
Windows NT4 1 70

If I choose one of the OS choices specifically (for example, the "Windows 7 Enterprise Service Pack 1") with the same query I get different results.

index=qualys HOSTVULN  SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-1d@d |  dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] |  join HOST_ID [search index=qualys HOSTSUMMARY:  **OS="Windows 7 Enterprise Service Pack 1"**  | where cidrmatch("10.128.0.0/9", IP)  ] | stats dc(QID) as #_Vulns , count(QID) as Total_Vulns by OS | sort -Total_Vulns | addcoltotals #_Vulns, Total_Vulns

Windows 7 Enterprise Service Pack 1 287 62569

I am guessing Splunk hits some limiter on returns when using the wildcard but I can't figure out where in the process it stalls/quits. Is it in the timeframe? Is there a truncation the moment it finds an Event in the wildcard that matches the "earliest" criteria that is then skipped if I perform a more granular search? It's the same search and the same data-set so whatever is leading to the difference in answers has got to be in the Splunk processing. I'm just trying to nail down 'where'.