Hi,
I have a simple alert that runs nightly, it is something like:
index=bluecoat cs_categories="*Forbidden*" | top limit=20 client_ip
Basically shows a report of top 20 clients that access forbidden sites calc/grouped by IP, the format is
client_ip count percentage
I am simply looking to add more fields into this output without changing how it is calculated
Want to say something like
index=bluecoat cs_categories="*Forbidden*" | top limit=20 client_ip | table client_ip user dest count percentage
Can't get it to work. If I add the additional fields after user top limit=20 client_ip, I lose the client_ip grouping and it breaks everything out based on the additional fields. Just looking to add a few info fields into the results and keep the query the same. Thanks
The top command only returns those fields - once it's done there are no other fields present. Besides, if you're picking 20 client IP's, wouldn't there be different values for user and dest for each of them?
If you want unique values for user and dest, maybe using a subsearch would do what you want?
index=bluecoat cs_categories="*Forbidden*" [search index=bluecoat cs_categories="*Forbidden*" | top 20 client_ip | fields client_ip] | top user,dest by client_ip