Hope someone is up for a challenge. Here's the query I'm using.
index=[app] [keyword] earliest=10/01/2013:0:0:0 latest=11/01/2013:0:0:0 | fillnull value=NULL cs5 | stats count by src, cs1, cs5 | eval cs5 = case(cs5="NULL","No MSRT Fix",1=1,"MSRT Fix Available")
My results table lists each unique instance (where src=IP address and cs1 lists the infection's name and cs5 determines if MSRT can fix it or not.
I would like to design a 3-level area plot for my dashboard that displays the total # of events, total # with no fix, and total # fixable, and I'd like the total count to start over every 24 hours, thereby counting each IP with a unique infection to only be counted once per day.
I can't get the area plot to include the total events found (fixable and not), I can't get it to break up its peaks by day, and I can't get it to treat each day as a unique set of results. I don't know if I should use dedup because I want the IP-with-unique-infection to be counted again if it appears again on another day.
Is all this even possible? I'm really having a hard time with this, so any help is greatly appreciated. Thanks in advance.
... View more