index=main sourcetype=mysourcetype| stats count by X | lookup data.csv cad as X |table name, count, login | where name!=""|rename name as Application|rename count as "# of sessions"
I want to show this below with the "Login", but that field is in a different log. How do I get this? I need to show count of logins.
Format Preview
Apn # of sessions Login
Se 57
Vr 18
Vce 24
Vint 1017
Wiint 6972
Google 6580
BaNCE 29896
Foy 16
JIA 17768
Sta 2355
ip 135
Like this:
index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X
Like this:
index=main sourcetype=mysourcetype OR sourcetype=othersourcetype| stats count(eval(sourcetype=mysourcetype)) AS SessionCount count(eval(sourcetype=othersourcetype)) AS LoginCount by X
I got the count but the thing is It is from the same source type. what is the query for that ? and will it automatically map the lookup?
I need a table
Application # of sessions Count(login)
You have not shared enough detail in order to give you a custom-fit answer. We do not know what fields are created by your lookup. We do not know what X
is or how Apn
fits into anything or even if Apn
is a field. The search that I gave you is enough of a baseline for you to build out what you are asking and that is much as I can say without much more detail from you.
Thank you !! I got that.