Hello all,
For some reason, the search below isn't working for me... I am trying to search for the Top 25 Business Units that have triggered a DLP incident and sort it by those incidents... Unsure if it's the lack of caffeine, but I was under the impression this would work...
(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory) IncidentType="*" department="*"
| Top 25 department
| sort by IncidentType
Greatly appreciate your inputs.
use double quote when for sourcetype=intel:dlp ---- sourcetype="intel:dlp"
Thank you puneethgowda - but still no data... I've been trying other constants but no results.
index=dlp sourcetype=intel:dlp OR index=msad sourcetype=ActiveDirectory
Try this
index="dlp" sourcetype="intel:dlp" OR index="msad" sourcetype="ActiveDirectory"
add double quote
Nope...
This is when the data comes...
(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory)
Try this
(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory) IncidentType="" department="" | top 25 department by IncidentType | sort by IncidentType
Thank you sundareshr - but still no data... I've been trying other constants but no results.