Solved: Re: How to display events in table format when sam...

rkeq0515 · ‎05-22-2020

Is there a way to display events in a table when the same value appears multiple times with other values?
I am looking for user accounts that appear on two or more systems.

The following is a list of records:

I have been trying different queries based off of the follow but I cant seem to get the correct syntax. I can get a count on field 1 and/or field 2, but I am not able to pull just those events listed above and the attributes accompanying (field3, field4, etc.) the events.

1. index="myindex"
2. | stats count by field1 field2
3. | where count > 1
4. | table count field1 field2 field3
5. | sort - count

to4kawa · ‎05-22-2020

 index="myindex"
| eventstats dc(field1) as counts by field2
| where counts > 1
| table as_you_like

How about this?

View solution in original post

to4kawa · ‎05-22-2020

 index="myindex"
| eventstats dc(field1) as counts by field2
| where counts > 1
| table as_you_like

How about this?

How to display events in table format when same value appears multiple times?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...