Solved: How to create a search that will show other fields...

jregexsaurus · ‎05-16-2022

This search will display port numbers from the Endpoint datamodel

| tstats 'summariesonly ' count from datamodel=EndPoint.Port.dest_port

I would like to create a search that will show other fields like dest_bunit with the port.

Without the datamodel I could just do a stats count by dest port. I'm not sure how to replicate this query using the datamodel.

richgalloway · ‎05-16-2022

The syntax may not be exactly right, but have you tried something like this?

| tstats `summariesonly` count, values(Endpoint.Port.dest_bunit) as dest_bunits from datamodel=EndPoint.Port.dest_port

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-16-2022

The syntax may not be exactly right, but have you tried something like this?

| tstats `summariesonly` count, values(Endpoint.Port.dest_bunit) as dest_bunits from datamodel=EndPoint.Port.dest_port

---
If this reply helps you, Karma would be appreciated.

VatsalJagani · ‎05-16-2022

Or this:

| tstats `summariesonly` count as dest_bunits from datamodel=EndPoint.Port by Endpoint.Port.dest_port, Endpoint.Port.dest_bunit

If not, try below:

| tstats `summariesonly` count as dest_bunits from datamodel=EndPoint.Port by Port.dest_port, Port.dest_bunit

I hope this helps!!!

How to create a search that will show other fields like dest_bunit with the port?