Variables :
LoginString
Connections
UT=10
UT=45
Essentially, I want to grab the login string where UT=45and then tie that LoginString to the Connections. I want to then count the number of times UT=10 happens on that same connection, and group that count by LoginString in a timechart
[01/May/2015:20:39:47 -0400] Connections=12345 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=12345 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="randomString"
[01/May/2015:20:39:47 -0400] Connections=12345 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=223333 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=223333 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
[01/May/2015:20:40:47 -0400] Connections=55555 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:40:47 -0400] Connections=55555 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
[01/May/2015:20:40:47 -0400] Connections=55555 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:40:47 -0400] Connections=55555 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:40:47 -0400] Connections=55555 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
In this case, the timechart should have 3 dots with 2 of them being the same color.
randomstring would have 2 and veryUnRandom would have 1 for the first dot and 3 for the second dot
I am close in that I am using eventstats values(LoginString) as LoginStringby conn | where tag=10| timechart span=1h count by LoginString
, but it's giving me the connection instead.
Any advice?
Hi jegreene, I tried out the search you suggested above on the data you supplied and I got what you wanted ... the three points plotted over time and separated by LoginString. 2 and 1 for the first time point and 3 for the second. Have you had a look at it as a column chart? Are there definitely no typos? Is it perhaps the span?
You're asking to do a timechart with a one hour span, which means that in your sample events the aggregate will be calculated over the 8pm hour. And you're only grouping by LoginString, which has two distinct values. So you'll only have 2 points on the timechart, one for each LoginString. You can't have 3 points for 2 values. That's where the aggregate comes into play (count in this case). It will perform the aggregate for each group by field and display the result on the graph.
So what exactly would you like to see? You could concatenate LoginString with Connections and then group by that result. That would leave you with 3 values for the group by field and so you would see each of those points on your graph
Does that make sense?
x = time
y = number of connections where UT=10
group by = login string
Those are the three variables.
Makes sense?
Something is wrong in my logic because I am only getting the connections
Essentially the connections should be replaced by the login string