In certain situations, the Event ID clause limit for queries is 21, not 22, as it noted in the documentation.
If there is a mixture of single event IDs and ranges, AND an additional constraint such as ignore_older is provided, the event ID limit is 21 clauses, not 22. Even though the number of clauses appears to be the exact same between a query with 22 single event IDs with ignore_older and 22 mixed ranges and single IDs with ignore_older, the latter will fail with a The specified query is invalid error. This has been reproduced in Windows Event Viewer and is not a bug within the winlog input. This peculiar case should be documented in any integration that allows specifying event IDs (system, windows, winlog) to help avoid confusion among those using larger queries.
In certain situations, the Event ID clause limit for queries is 21, not 22, as it noted in the documentation.
If there is a mixture of single event IDs and ranges, AND an additional constraint such as
ignore_olderis provided, the event ID limit is 21 clauses, not 22. Even though the number of clauses appears to be the exact same between a query with 22 single event IDs with ignore_older and 22 mixed ranges and single IDs with ignore_older, the latter will fail with aThe specified query is invaliderror. This has been reproduced in Windows Event Viewer and is not a bug within the winlog input. This peculiar case should be documented in any integration that allows specifying event IDs (system, windows, winlog) to help avoid confusion among those using larger queries.