How to automatically initiate second search using ...

Itsecuser1 · ‎01-23-2022

index=logs appname="nameofapp " url=somewebsitenamestring | stats count by user | sort - count | where count > 100

I would get results of 5 users and i want to initiate a different search using the results , can you let me know how i can do it

index=logs appname="appname " user="here i need those 5 user names found in the results to be inserted " url=*somewebsitenamestring | table _time user url

I would prefer to receive 5 individual csv files for each user rather than one file with all 5 user data.

Thanks for your help , please let me know if this is possible

ITWhisperer · ‎01-23-2022

index=logs   appname="appname url=*somewebsitenamestring   
 [ search index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | where count > 100 | table user ]
|   table _time user url

Itsecuser1 · ‎01-23-2022

Thanks a lot , i am able to view the results of the user , but i am not able to see a statistics table sorted by the user with the highest count , please can you let me know if it is possible to display the table

Also is it possible to generate a CSV file for each individual user with the highest count ( higher than 100) as part of an alert or as a report

ITWhisperer · ‎01-23-2022

index=logs   appname="appname url=*somewebsitenamestring   
 [ search index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | where count > 100 | table user ]
| eventstats count by user
| sort -count
| table _time user url count

I don't think you can generate a csv file for each user, you can generate a csv file but it would contain all the results.

How to automatically initiate second search using the results of the first search

count

other

stats

table

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update