Hi mztopp,
Please check if this helps for alert
Query:
| makeresults
| eval User_Name="a",POP_Address="192.168.0.1"
| append
[| makeresults
| eval User_Name="a",POP_Address="172.16.0.1"]
| append
[| makeresults
| eval User_Name="b",POP_Address="193.168.0.1"]
| append
[| makeresults
| eval User_Name="c",POP_Address="172.16.0.1"]
| append
[| makeresults
| eval User_Name="b",POP_Address="194.168.0.1"]
| append
[| makeresults
| eval User_Name="a",POP_Address="194.168.0.1"]
| fields _time User_Name POP_Address
| eval Connection_Type=case(LIKE(POP_Address,"192.168%"),"Internal",LIKE(POP_Address,"172.16%"),"Internal",0=0,"External")
| stats sum(eval(Connection_Type="Internal")) as Internal sum(eval(Connection_Type="External")) as External count AS Total by User_Name
| fillnull value=0 Internal,External
Output:
Once you have defined condition when this alert needs to be triggered please user "WHERE" command
Example:
| where External>1
Alert gets triggered including users when External connections are greater than 1 like this
Thanks,
Pradeep Reddy
Hi mztopp,
Please check if this helps
Query:
| makeresults
| eval User_Name="a",POP_Address="192.168.0.1"
| append
[| makeresults
| eval User_Name="a",POP_Address="172.16.0.1"]
| append
[| makeresults
| eval User_Name="b",POP_Address="193.168.0.1"]
| append
[| makeresults
| eval User_Name="c",POP_Address="172.16.0.1"]
| append
[| makeresults
| eval User_Name="b",POP_Address="194.168.0.1"]
| append
[| makeresults
| eval User_Name="a",POP_Address="194.168.0.1"]
| fields _time User_Name POP_Address
| eval "Internal/External"=case(LIKE(POP_Address,"192.168%"),"Internal",LIKE(POP_Address,"172.16%"),"Internal",0=0,"External")
| stats count by User_Name "Internal/External"
Tabular Output:
Thanks,
Pradeep Reddy
Hi mztopp,
Please check if this helps for alert
Query:
| makeresults
| eval User_Name="a",POP_Address="192.168.0.1"
| append
[| makeresults
| eval User_Name="a",POP_Address="172.16.0.1"]
| append
[| makeresults
| eval User_Name="b",POP_Address="193.168.0.1"]
| append
[| makeresults
| eval User_Name="c",POP_Address="172.16.0.1"]
| append
[| makeresults
| eval User_Name="b",POP_Address="194.168.0.1"]
| append
[| makeresults
| eval User_Name="a",POP_Address="194.168.0.1"]
| fields _time User_Name POP_Address
| eval Connection_Type=case(LIKE(POP_Address,"192.168%"),"Internal",LIKE(POP_Address,"172.16%"),"Internal",0=0,"External")
| stats sum(eval(Connection_Type="Internal")) as Internal sum(eval(Connection_Type="External")) as External count AS Total by User_Name
| fillnull value=0 Internal,External
Output:
Once you have defined condition when this alert needs to be triggered please user "WHERE" command
Example:
| where External>1
Alert gets triggered including users when External connections are greater than 1 like this
Thanks,
Pradeep Reddy
