Straightforward question: can this run faster? It gives me (almost*) exactly what I want, but I’m hesitant to deploy a Retrieved Property that takes over 30 seconds to run, even if it’s just once a day…
Q: (multiplicities of it, it) of unique values of ((following text of last "%09" of it & "\" & preceding text of first "%0d" of it) of (preceding text of first "%0d%0a%09Logon ID:" of following text of first "Account Name:%09%09" of following text of first "New Logon:" of description of it) of (records of security event log) whose (event id of it = 4624 and time generated of it > (now - 30*day) and (description of it contains "Logon Type:%09%092" or description of it contains "Logon Type:%09%097")))
A: 2, Font Driver Host\UMFD-0
A: 2, Font Driver Host\UMFD-1
A: 232, MYDOMAIN\myusername
A: 4, Window Manager\DWM-1
T: 31448.858 ms
(*) - Ideally, I’d just need this to report to me the Logon ID with the greatest number… any way I can get that? The system that will be receiving this info via API can certainly do the logic on its end, but I’d love to have it done on the BigFix end (or at least know whether or not it can be done on the BigFix end.