Solved: Re: Get counts of more than one field in same even...

tnkoehn · ‎02-22-2013

Let's say I have log records that look like this

Field 1     Field 2
ABC         XYZ
ABC         KLM
XYZ         ABC         
ABC         XYZ
KLM         KLM

I want to get the number of ABCs and also the number XYZs regardless of what field they're in, and ignore anything else. So results would look like this:

Value     Count
ABC       4
XYZ       3

My current search is below, but it won't total correctly if field1 AND field2 both have an ABC or XYZ.

search * 
| eval value=case(match(field1,"^[ABC|XYZ]",field1,match(field2,"^[ABC|XYZ]",field2)
|count by value

It's probably incredibly easy, but I can't figure it out.

martin_mueller · ‎02-22-2013

You could create four individual counts like this

...  | stats count(eval(f1=="ABC")) as abc_1 count(eval(f2=="ABC")) as abc_2 count(eval(f1=="XYZ")) as xyz_1 count(eval(f2=="XYZ")) as xyz_2

and then add each pair together to get your two counts.

View solution in original post

martin_mueller · ‎02-22-2013

You could create four individual counts like this

...  | stats count(eval(f1=="ABC")) as abc_1 count(eval(f2=="ABC")) as abc_2 count(eval(f1=="XYZ")) as xyz_1 count(eval(f2=="XYZ")) as xyz_2

and then add each pair together to get your two counts.

Get counts of more than one field in same event

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...