AnsweredAssumed Answered

Missing Events Searching On Reference ID Meta Key

Question asked by Michail Piskoun on May 4, 2017
Latest reply on May 5, 2017 by Eric Partington

Has anyone noticed any issues with windows events and the reference id meta key? I've had an issue recently where I will not be able to see all events on a the reference id meta key, even though the events should exist. For example if I query 'reference.id = '4732'' over 5 days I may have no results, whereas querying 'msg.id ='security_4732_microsoft-windows-security-auditing'' over the same amount of days will show all the events previously missing. It looks like a service restart corrects it going forward, and stranger still it's usually specific to a reference id, in my most recent case being 4732. I'm currently on 10.6.3 but I noticed this first in 10.6.2.

Outcomes