Have source from cisco:asa with a field value of user.
The following search(s) will return all values for user:
(This search for example would return 30 events with a user value in 100%)
sourcetype=cisco:asa message_id=722051
(This search for example would return 30 events with a user value in 100%)
sourcetype=cisco:asa message_id=722051 user=*
If I attempt to get more specific on the user value like below, no results are found even though its found in the above search:
sourcetype=cisco:asa message_id=722051 user=testuser1234
If I attempt this search events are also returned:
sourcetype=cisco:asa message_id=722051 user=testuser*
or
sourcetype=cisco:asa message_id=722051 user=test*1234
So as long as my user= contains a wildcard results are found. What could be causing this issue?
... View more