Way to identify max value of multiplicity?

Content Authoring
12

Love your use of XMLNS and that class of inspectors.

I would tweak just a bit to use Jason’s set method for a slightly more robust solution.

q: tuple string items 1 of items 1 of (maximum of (it as integer) of tuple string items 0 of elements of it, elements of it) whose (item 0 of it = tuple string item 0 of item 1 of it as integer) of set of (it as string) of (multiplicity of it, it) of  unique values of ((node values of xpath ("xmlns:a='http://schemas.microsoft.com/win/2004/08/events/event'","/a:Event/a:EventData/a:Data[@Name='TargetUserName']/text()") of xml of it) of (records of security event log) whose (event id of it = 4624 and time generated of it > (now - 30*day) and (description of it contains "Logon Type:%09%092" or description of it contains "Logon Type:%09%097") and not (description of it contains "Font Driver Host" or description of it contains "Window Manager")))

Looks a little like a “who logged on the most in the last 30 days”? type of use case. Very elegant.

I wonder if it would be permissible to speed it up alot with @strawgate method of limiting event log queries to an arbitrary number of them (say the last 5000 log entries only?)

Q: tuple string items 1 of items 1 of (maximum of (it as integer) of tuple string items 0 of elements of it|0, elements of it) whose (item 0 of it = tuple string item 0 of item 1 of it as integer) of set of (it as string) of (multiplicity of it, it) of  unique values of((node values of xpaths ("xmlns:a='http://schemas.microsoft.com/win/2004/08/events/event'","/a:Event/a:EventData/a:Data[@Name='TargetUserName']/text()") of xmls of it) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 5000;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it = 4624 and time generated of it > (now - 30*day) and (description of it contains "Logon Type:%09%092" or description of it contains "Logon Type:%09%097") and not (description of it contains "Font Driver Host" or description of it contains "Window Manager")) of security event log)
2 Likes