I am using this Search String to return results for specific user accounts:
search index=summary user_id=****** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time
I am looking to aggregate the results by destination domain, and show an aggregate number for each domain by browsing_time and show a count. So instead of showing:
google.com 2mins
google.com 1min
google.com 5min
It would show only
google.com 8mins Count 3
Thanks for any help...
For your original question, this should work
search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time
Can you give more details about what you need as part of 2nd question?
Hey your right,
search sourcetype=wsa_accesslogs user_id=* | search x_webcat_code_full!=Advertisements | transaction user_id maxpause=5m | search dest_domain=*| stats sum(duration) as browsing_time by dest_domain | fieldformat browsing_time = tostring(browsing_time,"duration")
This gives me what I am looking for thanks!
For your original question, this should work
search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time
Can you give more details about what you need as part of 2nd question?
"search sourcetype=wsa_accesslogs" vs search index=summary gives you a break down of the actual site visit times. Anyone else have an answer on how to aggregate the sites and times visited?