How can I do search count by dn here? tag=101 means search. I have already used transaction conn to separate based on connection number
Try this instead of using transaction
*EDITED*
your base search | eventstats values(dn) as dn by conn | where tag=101 | timechart count by dn usenull=f useother=f
This is a preview of how the data is indexed initially
https://postimg.org/image/igb8y7ohv/. I couldn't as I don't have enough karma points. Can you see the link now?
yes. i see it now
I assume the events you shared are from a search like this your base search tag=101
, right? Because I don't see dn=
anywhere. Try the updated query I posted.
the events i have posted are without any search. Just the raw file. When I do search for tag=101 all the dn fields disappear. I did get an output using the new query but the result is different from what I expected and its not a timechart
Try the edited query
I did. It doesn't work. I think you'd be able to solve it if I can send you the log file
That'll be great. Share a few events
Thnx.Ive added a link to the image url for you.
I don't see the link. All I see is alt text. Just paste a few events to your original question
Thnx for the reply. Sorry but it says "No results". If i don't use transaction then the events are not grouped based on conn number. The DN value is only present after the binding is complete so I used transaction so that the dn and SRCH are grouped in same event.