You can also use the statistical eval functions, such as max, on multivalue fields.See Statistical eval functions. They run one test on an IP and get one result so for one IP they could have 30 events one having the Host Name, OS, Device type, etc. The following list contains the functions that you can use on multivalue fields or to return multivalue fields. I'd like to add things like percentage blocked per sourcetype, etc., with additional eval statements. I am reading nessus discovery scan logs and the way nessus formats their data is by separating fields by events. However, that doesn't present the data in the way I want it. The following works for me: | tstats summariesonly=t allow_old_summaries=f prestats=f count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action!="unknown") by _time,sourcetype,All_Traffic.action span=1h sourcetypeaccess head 10 stats sum (bytes) as ASumOfBytes by clientip. For example, the following search returns a table with two columns (and 10 rows). The stats command works on the search results as a whole and returns only the fields that you specify. The streamstats command calculates a cumulative count for each event, at the time the event is processed. The eventstats and streamstats commands are variations on the stats command. The streamstats command is used to create the count field. By default, the tstats command runs over accelerated and. Because it searches on index-time fields instead of raw events, the tstats command is faster than the stats command. The indexed fields can be from indexed data or accelerated data models. The delimiter is used to specify a delimiting character to join the two values. Use the tstats command to perform statistical queries on indexed fields in tsidx files. Multivalue eval functions: mvzip(,,) Combines the values in two multivalue fields. The last event does not contain the age field. Multivalue eval functions: mvsort() Returns the values of a multivalue field sorted lexicographically.When I run that, I see valid numbers for total_connections, but the "allowed" and "blocked" values are all just "0" The dataset literal specifies fields and values for four events. | stats count as total_connections count(eval(action="allowed")) as allowed count(eval(action="blocked" OR action="dropped")) as blocked by _time, sourcetype Here's a simplified version of what I'm trying to do: | tstats summariesonly=t allow_old_summaries=f prestats=t count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action!="unknown") by _time,sourcetype,All_Traffic.action span=1h I'm hoping there's something that I can do to make this work. I'm trying to use eval within stats to work with data from tstats, but it doesn't seem to work the way I expected it to work. Regarding returning a blank value: When you use count, it will always return an integer, you may have to use another eval to set the field to blank if it is 0.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |