discrepancy in stats search

Question

Hello Team,I am seeing a discrepancy with the stats search.When I run a normal search for EPP high alerts during the specified time range, I get 31 results. However, when I convert the same logic into a stats search with a match window, the result count increases significantly.I expected the count to be equal to or lower than 31, since the match window should group matching alerts within the defined time period. Instead, I am seeing more than 400 results, which is around 15 times higher than the original event count.and when it is run on rules i am getting 23 detectionsCould you please help confirm why the stats-based query is inflating the results and whether the match/window logic is causing duplicate or expanded matches?

NASEEF · Answer

Additionally, even when I match against the timestamp field, instead of getting unique timestamp rows, the same timestamps are repeating multiple times.

For example, around 30 timestamps are repeating across 297 logs. This makes it appear that the stats/match logic is generating duplicate matches rather than consolidating events within the match window.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded