![]() "This doesn't work" is not a very constructive comment. Yes, you can split your count by how many fields you want.Ģ. ![]() let me know if I can provide any additional info and as always thank you for the help.ġ. Security groups, I would like to monitor users being added to:Īgain I am looking to monitor if a user was added to any of the above 6 security groups were they within a few hours before and ahead of the event removed from any other groups. Here is a search for security group added: index=wineventlog EventCode=4728 EventCodeDescription="A member was Added to a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog | table member, Group_Name, Subject_Account_Name, _time Here is a search for security group removal: index=wineventlog EventCode=4729 EventCodeDescription="A member was removed from a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog Ultimately I would like to know if a user is added to a specific set of security groups what security groups if any were removed from that same user. I could use some help here with creating a search. | stats avg (fieldX) max (fieldY) BY host If you specify multiple aggregations, the aggregations must be comma-delimited. If you specify a list of fields in the, the list must be comma-delimited. For all other functions, you must specify a field inside the parentheses or BY clause. In SPL2, the parentheses are required when you use the count function. In SPL, the count function could be specified without parentheses. | SELECT count(error), _time FROM GROUP BY span(_time, 5min)įor more information about specifying a span, see Specifying time spans in the SPL2 Search Manual. | FROM GROUP BY span(_time, 5min) SELECT count(error), _time You can accomplish that same results using the from command. This example returns the count of events in 5 minute intervals. | bin _time span=5min | stats count (error) BY _time The field you use in the must be either the _time field, or another field in UNIX time. | stats sum(fieldA) BY fieldC, the results are:ĭifferences between SPL and SPL2 Command options must be specified before command arguments If you specify the fieldC in the, such as. For example, suppose the incoming result set is this: When grouping by a multivalue field, the stats command produces one row for each value in the field. To group search results by a timespan, use the span statistical function. Grouping results Group results by a timespan The sum(fieldY) aggregation adds up all of the values in both single value and multivalue fields.However, if a field is a multivalue field, the aggregation counts the number of values in the fields. The count(fieldY) aggregation counts the rows for the fields in the fieldY column that contain a single value.The count field contains a count of the rows that contain A or B.The results are grouped first by the fieldX.| stats count, count(fieldY), sum(fieldY) BY fieldX, these results are returned: When you perform an aggregation over a multivalue field, each of the values in the field is included in the aggregation. | SELECT count(), host FROM GROUP BY hostįor more information, see from command overview. | FROM GROUP BY host SELECT count(), host | stats count() BY host, the following searches return the same results: Most of the things you can do with the stats command are also possible using the from command.įor example, if your search is. Stats command usage Using the from command instead
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |