I am attempting to get the top values from a datamodel and output a table.
The query that I am using:
| from datamodel:"Authentication"."Failed_Authentication"
| search app!=myapp
| top limit=20 user app sourcetype
| table user app sourcetype count
This gets me the data that I am looking for.. however, if a user fails to authenticate to multiple applications, for example: win:remote & win:auth, they will have two entries in the table:
for example:
user1, win:remote, wineventlog:security, 100
user1, win:auth, winreventlog:security, 80
Ideally, I would like a table that reads:
user1, win:remote; win:auth, wineventlog:security, 180
Is there a way to concatenate? or combine these fields for each top user?
Hello @richardphung,
Try out this search:
| from datamodel:"Authentication"."Failed_Authentication"
| search app!=myapp
| stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
| eval users=mvjoin(users,", ")
| sort -total_count | head 20
Hello @richardphung,
Try out this search:
| from datamodel:"Authentication"."Failed_Authentication"
| search app!=myapp
| stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
| eval users=mvjoin(users,", ")
| sort -total_count | head 20