index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out"
| rex "^\[(?[^\]]+)\].*\[(?[^\]]+)\]\[(?[a-zA-Z]*)\](?[^\(]+)\(\d*\)(.*makeModel=(?.*),make)*(:StdOUT (?.*))*.*"
| eval _time=strptime(time,"%a %b %d %H:%M:%S")
| fields - _raw time
| stats count as eventCount min(_time) as _time max(_time) as latestTime values(type) as allTypes values(device) as device values(name) as name values(macaddress) as macaddress by ip
| eval duration=(latestTime-_time)
| fields - latestTime
| search allTypes="NodeManager.getNodeByHWaddress" AND allTypes!="ActivateNode.doPost" AND allTypes="RegistrationController.initOsList" AND allTypes="GetPolicy.doPost" | fields - allTypes
The above search query creates a table which has a column with users' macaddresses. There is an additional condition I want to add to the table that I don't know how to do. The condition is to only display the users whose macaddresses appears in the past logs on different days. I'm trying to find the users that use my program multiple times in the past and keeps using it.
If the below search returns events that are on different days, then I want to display this user in the table I created above. Thanks!
index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" 3c-43-a3-cc-f5-3f
You can use 'join' command if you want to retrieve the list of users for the mac addresses which you have obtained. OR you can use 'appendcols' if both queries are not related .
Try adding this to the end of your query:
| bucket span=1d _time | stats count values(*) as * by macaddress | where count > 1
It makes my table return only 1 statistic with the macaddresses column empty and the other columns listing its elements in the one statistic so i can't tell what information is correlated to which user.
The macaddress field would be empty only if none of the events have a value for that column by the time the stats
command runs. What do your results look like before the bucket
command?