Here is my raw data:
advisories=[Advisory@51046c2f[advisory=6,rule=LOGIN_3,passive=true], Advisory@2f9ea478[advisory=32,rule=LOGIN_30,passive=false], Advisory@795aab36[advisory=29,rule=LOGIN_26,passive=false]],passiveResponse=PassiveResultCollector@482f8caf[passivePrimary=LOGIN_3,passive=true,passiveAction=INTERDICT,passvieRules=[LOGIN_3],allRuleMarkers=[LOGIN_3]]];enter code here
index=sims_prod source=*/authentication-audit.log earliest=-1d@d
|where advisories!="[]"
|rex field=advisories "\[advisory=(?<advisory>\d+),rule=(?<rule>[^,]+),passive=(?<isPassive>[^\]]+)\]" max_match=10
|foreach advisory isPassive [eval activeAdvName=if(isPassive="false",advisory,"null")|eval activeAdvCount= if(isPassive="false",1,0)]
| stats sum(activeAdvCount) as ActiveAdvCount by activeAdvName
Current result:
activeAdvName ActiveAdvCount
29 1
32 1
6 1
activeAdvName ActiveAdvCount
29 1
32 1
and if want to get Passive Advisory Count, i should get
PassiveAdvName PassiveAdvCount
6 1
See if this works for you
index=sims_prod source=*/authentication-audit.log earliest=-1d@d
| where advisories!="[]"
| rex field=advisories "\[advisory=(?<advisory>\d+),rule=(?<rule>[^,]+),passive=(?<isPassive>[^\]]+)\]" max_match=10
| eval z=mvzip(advisory,isPassive)
| mvexpand z
| rex field=z "(?<advisory>[^,]+),(?<isPassive>[^,]+)"
| eval activeAdvName=if(isPassive="false",advisory,"null")
|eval activeAdvCount= if(isPassive="false",1,0)]
| stats sum(activeAdvCount) as ActiveAdvCount by activeAdvName
See if this works for you
index=sims_prod source=*/authentication-audit.log earliest=-1d@d
| where advisories!="[]"
| rex field=advisories "\[advisory=(?<advisory>\d+),rule=(?<rule>[^,]+),passive=(?<isPassive>[^\]]+)\]" max_match=10
| eval z=mvzip(advisory,isPassive)
| mvexpand z
| rex field=z "(?<advisory>[^,]+),(?<isPassive>[^,]+)"
| eval activeAdvName=if(isPassive="false",advisory,"null")
|eval activeAdvCount= if(isPassive="false",1,0)]
| stats sum(activeAdvCount) as ActiveAdvCount by activeAdvName
It worked like a charm!!! Thank YOU..