Solved: Re: How to create a table to show events for the p...

aaroncherian · ‎07-02-2020

I am trying to create a table something like this that will fetch the data for all the events for the past 7 days. I want this to be ran any time and it would update the dates dynamically at the top. I want it to look something like this:

Host	Sourcetype	6/1	6/2	6/3	6/4	6/5	6/6	6/7
" "	" "	Count	Count	Count	Count	Count	Count	count

Here is my search so far:

index=" " | bucket span=1d _time | eval dayOfDate=strftime(_time,"%Y/%m/%d")  | stats count by host, sourcetype, dayOfDate | table host sourcetype dayOfDate count | rename count as "Number of events"

The dates show vertically and I wanted it to show up as column headers for the last 7 days that updates dynamically whenever I run this search.

to4kawa · ‎07-02-2020

View solution in original post

to4kawa · ‎07-02-2020

aaroncherian · ‎07-04-2020

Thanks for that @to4kawa !!

But is it possible to have two different columns for hosts and sourcetype instead of just them being combined into one column with a "::" in the middle? (Exact same format as my example output)

to4kawa · ‎07-04-2020

add
| rex field=hosts "(?<host>.*?)::(?<sourcetype>.*)"
| fields - hosts
| table host sourcetype *

aaroncherian · ‎07-04-2020

EDIT: Worked perfectly! Thanks @to4kawa !!!!

How to create a table to show events for the past 7 days

count

field extraction

stats

table

timechart

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!