Thank you again for the great response @somesoni2 and a hat tip to @sundareshr as well! This looks like the appropriate solution, but for some inexplicable reason the count for the following two queries differs, even when configured over the same static time period:
1) This search generates a count of around 14,500:
(index="windows" AND source="WinEventLog:Security" AND EventCode="4624" AND (Logon_Type="2" OR Logon_Type="7" OR Logon_Type="10"))
OR
(index="windows" AND source="WinEventLog:Security" AND EventCode="4672" AND Account_Name="*" AND NOT Account_Name="SYSTEM")
OR
(index="network")
| stats count
2) Whereas this search generates a count for Important_Events of around 13,000:
index="*"
| eval Important=if((index="windows" AND source="WinEventLog:Security" AND EventCode="4624" AND (Logon_Type="2" OR Logon_Type="7" OR Logon_Type="10"))
OR
(index="windows" AND source="WinEventLog:Security" AND EventCode="4672" AND Account_Name="*" AND NOT Account_Name="SYSTEM")
OR
(index="network"),1,0)
| stats count as Total_Events sum(Important) as Important_Events
| eval Important_Events_Percentage=(Important_Events/Total_Events)*100
| eval Unimportant_Events=Total_Events-Important_Events
| eval Unimportant_Events_Percentage=100-Important_Events_Percentage
| fields Unimportant_Events, Unimportant_Events_Percentage, Important_Events, Important_Events_Percentage
It's practically the exact same search, yet it renders two different results; any ideas?
Also, this search takes an incredible amount of time to process in comparison to the original appendcols subsearch method. That is to say, when the original subsearch method actually ran successfully.
... View more