Has anyone noticed any issues with windows events and the reference id meta key? I've had an issue recently where I will not be able to see all events on a the reference id meta key, even though the events should exist. For example if I query 'reference.id = '4732'' over 5 days I may have no results, whereas querying 'msg.id ='security_4732_microsoft-windows-security-auditing'' over the same amount of days will show all the events previously missing. It looks like a service restart corrects it going forward, and stranger still it's usually specific to a reference id, in my most recent case being 4732. I'm currently on 10.6.3 but I noticed this first in 10.6.2.
