- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marco_massari11
Communicator
10-22-2021
05:32 AM
Hi,
I have a query like this:
index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort - count
| head 10
So in my result I have a list of username with the login count for each one. I know some users are bot, so I want to add a string before the username like BOT_Username, probably with if condition. For example, in my result I have:
Alice 10
Bob 8
Carol 7
David 4
Eddie 2
I know Alice and Bob are bot, so I need:
BOT_Alice 10
BOT_Bob 8
Carol 7
David 4
Eddie 2
Thanks in advance!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-22-2021
06:45 AM
Do something like this
index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)Update the if condition per your need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-22-2021
06:45 AM
Do something like this
index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)Update the if condition per your need.
