Solved: use stat results as string instead of numbers

rtalcik · ‎02-28-2020

Hi everyone, so I am wondering if it is possible to display my results as a string for computername instead of displaying it as a number. I don't believe using count or stats is the right process here, but I was wondering if someone can help me edit my command to do what I want So below is the stats command and I want to see the results by user along with WHAT computername and WHAT Host as a string

| stats count as total_count count(eval(EventCode="4625")) as denied_count count(eval(EventCode="4624" OR EventCode="4768" OR EventCode="4776")) as permitted_count count(eval(host)) as host count(eval(ComputerName)) as computer by user

richgalloway · ‎02-28-2020

Try this

... | stats count as total_count count(eval(EventCode="4625")) as denied_count count(eval(EventCode="4624" OR EventCode="4768" OR EventCode="4776")) as permitted_count count(host) as host count(ComputerName) as computer values(host) as hosts values(ComputerName) as computers by user

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-28-2020

Try this

... | stats count as total_count count(eval(EventCode="4625")) as denied_count count(eval(EventCode="4624" OR EventCode="4768" OR EventCode="4776")) as permitted_count count(host) as host count(ComputerName) as computer values(host) as hosts values(ComputerName) as computers by user

---
If this reply helps you, Karma would be appreciated.

rtalcik · ‎03-03-2020

This is perfect I am going to look into the values thing now. THANKS!!

use stat results as string instead of numbers

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...