I'm using following search but it's not working:
index=proxy_logs category="Entertainment" category="Business" | stats ..
This search is not giving results but in logs I have users who visited sites with both categories.
Like a user visited site1 with category="Entertainment" and while further surfing, he visited another site2 category="Business".
I need to find such users.
If using this search:
index=bluecoat category="Translation" OR category="Pornography"
it is giving results. But in those results, I have users who accessed either one of them not both of them.
Please tell me if you need more information.
try this if your user name field is say "userName":
index=bluecoat category="Translation" OR category="Pornography" | stats dc(category) as distinctCategory by userName| where distinctCategory>=2
Hi @ivar9692 - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Thanks!
Please check this one -
index=proxy_logs category="Entertainment" [ search index=proxy_logs category="Business" | table UserNames ] | stats ..
try this if your user name field is say "userName":
index=bluecoat category="Translation" OR category="Pornography" | stats dc(category) as distinctCategory by userName| where distinctCategory>=2
Try like this. Replace PutYourUserFieldHere with the field that you want to use for user
index=bluecoat category="Translation" OR category="Pornography" | stats values(category) as category by PutYourUserFieldHere | where mvcount(category)=2
I don't have the answer, but the problem with your first search is that it is looking for single events that contain both categories at the same time, which is not possible with single value fields.
Fear not, I'm sure someone will show you how to use your search and sort them out by user so that only users that did both in different events are listed.