I have three columns from a search query. I would like to count the items in one column and display it next to the other two columns. EG
Column A Column B Column C (count of columnB)
ip add 1 vuln1 4
ip add 2 vuln1 2
.. | transaction ipadd |table ipadd, vuln
All help highly appreciated.
What if you wanted to list the vuln columns and a total number at the end of each row, not summarize the values on the vuln column but count the number of vuln columns. Seems addtotals only allows for sum and not a count.
ipadd vuln1 vlun2 vuln3...... total columns
Thanks for your response,
Your solution worked a treat!!!. I did amend it a bit.
basesearch | transaction ipadd | eventstats dc(columnB) as columnC by ipadd | table columnA, columnB, columnC
You can do this though stats instead of transaction if ipadd is the only key for correlation
<YourBaseSearch> | stats values(vuln) as vuln dc(vuln) as VulnCount by ipadd
You do not need transaction
try something like this:
your_search | transaction ipadd | stats values(ColumnB) AS ColumnB values(ColumnC) AS ColumnC count by ColumnA | rename count AS Column D
Thanks for your response
Your query counts by the ipadd field giving a result of one. The columnC is hypothetical at the moment. It is what am looking to add. I tried the query as is and the result was columnC was always 1 which is less than the sum of values in columnB
This edited query gives a false result (higher count than what columnB has)
| transaction ipadd
| stats values(ColumnB) AS ColumnB count by ColumnA
| rename count AS Column D