Solved: How to display different count of event by user

papemalik · ‎12-26-2016

Hello,

I would like the display by user, different count.

For example: i have several rule such as M, N, O, P, Q . for each user A (for instance) i would like to display the count of each event related to the rules and have a risk score.

user-----rule-----count----total_count
A----------M----------2----------6
-----------N----------3----------

-----------O----------1----------

for now i can do the total_count but not the detailed count.

Thank you in advance for your help

somesoni2 · ‎12-26-2016

Give this a try

your base search | stats count by user rule | sort 0 -count | stats list(rule) as rule list(count) as count sum(count) as total_count by user

View solution in original post

papemalik · ‎12-27-2016

@rjthibod it works but for instance when a user has 2 rules, it shows the user's name twice.
For the risk score, we set up a value a risk value for each rule so that the risk for a user increments when he/she hit a rule. The goal is to show the risk score at the end.

@somesoni2 ♦ it works perfect, now i have to add the risk score.

Thank you guys for your help

somesoni2 · ‎12-26-2016

Give this a try

your base search | stats count by user rule | sort 0 -count | stats list(rule) as rule list(count) as count sum(count) as total_count by user

rjthibod · ‎12-26-2016

You want to use something like stats to get the individual counts per rule and user and then eventstats to add the total count per user.

You will to post more information in order to get help about the "risk score". Not sure what you are trying to calculate.

YOUR SEARCH ... 
| stats count as count by user rule 
| eventstats sum(count) as total_count by user
| table user rule count total_count
| sort +user

How to display different count of event by user

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation

Tips & Tricks When Using Ingest Actions