How to count all events by a value combination ev...

HeinzWaescher · ‎06-17-2016

Hi,

let's say we have an event with

Field1=A
Field2=B

and another event with

Field1=B
Field2=A

How can I count all events grouped by such kind of value combination even if the values appear in different fields?
I could use

 count(eval(if((Field1="A" AND  Field2="B") OR (Field1="B" AND Field2="A"), source, null())))

But there is no static list of possible values for the fields so it needs to be a dynamic search.
I'm expecting some kind of multivalue transformation but can't find a solution.

Thanks in advance

woodcock · ‎06-17-2016

Like this:

... | eval ValueA="No" | eval ValuePound="No" | foreach * [ 
    eval ValuePound=if(($<<FIELD>>$="#"), "<<FIELD>>", ValuePound) 
    | eval ValueA=if(($<<FIELD>>$="A"), "<<FIELD>>", ValueA) ] 
| stats count(eval(ValueA!="No")) AS NumValueA count(eval(ValuePound!="No")) AS NumValuePound

somesoni2 · ‎06-17-2016

Give this a try

your base search | eval groupfield=mvsort(split(Field1."#".Field2,"#")) | stats count by groupfield

HeinzWaescher · ‎06-17-2016

This results in a count by every value, so twice the amount of events.

HeinzWaescher · ‎06-17-2016

This seems to work:

| eval mv='field1."#".'field2'
| makemv delim="#" mv

| eval groupfield=mvsort(mv)
| makemv delim="#" groupfield

| stats count by groupfield

How to count all events by a value combination even if the values appear in different fields?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...