From following search result - I want to extract User-Name
and Calling-Station-Id
, and both fields have multiple values. Once I am able to extract the fields, I will then need to find the list of Calling-Station-Id
and User-Name
, that meets following criteria :
"The same Calling-Station-Id
has more than one User-Name
". I will then need to see the trend of new Calling-Station-Id
that matches this criteria. What's the best way to address this problem? Can anyone please help ?
2015/06/12 09:59:12.196 (Notice) Skipping AVP AAA-Value-0= [1] = {(User-Name)=(!afsheen77@aaa.twcwifi.com),(Framed-IP-Address)=(10.106.42.82),(NAS-IP-Address)=(24.27.229.164),(NAS-Identifier)=(nycmny83-cr02ras03.wifi.rr.com),(NAS-Port)=(0),(NAS-Port-Id)=(0/0/0/201),(NAS-Port-Type)=(Virtual),(Calling-Station-Id)=(78-4b-87-e8-0e-10),(Called-Station-Id)=(F0-B0-52-37-D8-E0:TWCWiFi),(Class)=(VISITEDMSO\=}
I didn't it test it at all, but something like this maybe.
[your initial search] | rex "User-Name\)=\((?<user>[^\)]+)" | rex "Calling-Station-Id\)=\((?<station>[^\)]+)" | stats dc(user) as user_count by station | where user_count > 1
I didn't it test it at all, but something like this maybe.
[your initial search] | rex "User-Name\)=\((?<user>[^\)]+)" | rex "Calling-Station-Id\)=\((?<station>[^\)]+)" | stats dc(user) as user_count by station | where user_count > 1
Thanks this worked. the 2nd thing I wanted to do is to chart (may be timechart) the station counts by time. This way I can tell how many new stations are matching this criteria over time.
I'm not sure how many stations you have, so the chart could be a little busy, but maybe just something like this?
[your initial search] | rex "User-Name)=((?[^)]+)" | rex "Calling-Station-Id)=((?[^)]+)" | timechart dc(user) as user_count by station
You could still pipe to where at the end too if you only want to see those that stations that have multiple users. It's really just a matter of exactly what you want to see on the timechart.
Assuming you already have the field-extractions
working, this will work for the first part:
... | stats dc(User-Name) AS numUsers values(User-Name) AS UserNames BY Calling-Station-Id | where users > 1
As for this part:
I will then need to see the trend of new Calling-Station-Id that matches this criteria.
I have no idea what you mean; you will have to be much more clear.