What I am trying to get:
A 14 days chart of category descriptions that has a meaningful count. Right now I see things like:
Type____________________________________________________________Count
Search Engines and Portal 7000
What I would like it be"
Type_______________________________________________________________Count
Search Engines and Portal 344
On the back end a person went to google and did multiple searches for ~ 15 minutes a day over 14 days.
Detailed thoughts:
Look at a ip address's website traffic over 14 days, distinguish visit to a site vice numerous log entries due to initial visit to a site (walmart.com pulls something like 6-9 different events). Transform that into catdesc to show # of visits to a particular type over 14 days.
What I had originally tried was:
(IP address) www.*| chart count by catdesc limit=0 | sort -count
Thank you!
I might do something like this. I don't know if it's the most efficient or whatever but hope this helps. I like to use list rather than values but I guess I'm the only one. Maybe look at the values command as well.
ipaddress www.*(I'm guessing this is a source or sourcetype?) | bucket span=15m _time | stats list(catdesc) AS Description, list(count) as Count by (ipaddress/hostname) | sort -Count
Ryan,
Thank you for the answer, I really appreciate it.
This is what I used: (time 24 hours)
(IP Adress) www.*| bucket span=15m _time | stats list(catdesc) AS Description, list(count) as count by hostname | sort -Count
I get:
Hostname Description Count
Google Search Engines and Portals was blank.
Do you know how to covert the descriptions to counts and only show:
Google Search Engines and Portals 37.
Does the bucket span 15 take the length (24 hours) and break it down into 15 minute increments?
Thank you