Forensic queries are returning results for agents not in the comptuer group selected in the query (NETIQKB72994)

Forensic queries are returning results for agents not in the comptuer group selected in the query.

Agents not in the computer group show up in forensic queries.

When creating forensic reports, it is important to understand that the Central Computer (CC) sends a string to the Log Archive Server (LAS).  In this string, is a list of all computers in the computer group(s) selected to run the forensic query against.  If this string has more than 200 computers in it, the LAS is unable to process it.  Because of this, whenever the query is submitted and the string has more than 200 computers, we drop the reference to the computers and return all results for the platform specified in the forensic query (ie Cross Platform, McAfee Antivirus, Windows Security, etc).

In order to return the results you are looking for, you will need to do one or more of the following:

1)  Limit the forensic query to computer groups with 200 or less computers in it.
2)  Limit the query using the Event Parameters to select only the computers you are requiring.
3)  Run multiple queries using smaller computer groups (again, 200 or less), export them and combine them in excel or some other application to view a complete list.

The computer group has more than 200 computers in it.

Formerly known as NETIQKB72994

Please note that in the online help for Forensics, this limitation is noted.