I'm trying to make a visualization showing our number of signatures, but the data is not very organized because I have 20+ results with variations of the name generic, like for example:
Generic.TC.ldrvmp | 1 |
Generic.TC.ligldq | 1 |
Generic.TC.ljhook | 1 |
Generic.TC.lmzdbq | 1 |
Generic.TC.lnionm | 1 |
Generic.TC.lniqpu | 1 |
Generic.TC.lxboaq | 1 |
Generic.TC.mpneia | 1 |
Generic.TC.mpngod |
I want to group all these results under the name "generic", but it seems like if I try to use wild cards in the below search it gives me an error. I could do write out each signature individually in the |eval command but that seems very inefficient. I was wondering if it was possible for me to group the results in to the same name?
| eval signature=case(signature="Generic.*", "generic")
|stats count by signature
| sort -count
| eval signature=case(match(signature,"Generic.*"), "generic",1==1,signature)
| eval signature=case(match(signature,"Generic.*"), "generic",1==1,signature)
Thank you this works