How to group by a column value

gautham · ‎08-23-2016

Hi,

I'm searching for Windows Authentication logs and want to table activity of a user.

My Search query is :

index="win*" tag=authentication | stats values(src), values(dest), values(LogonType) by user | ....

I get Results like this.

But i am looking for some

somesoni2 · ‎08-24-2016

Try like this

index="win*" tag=authentication src=* dest=* LogonType=*  | stats values(src), values(dest), values(LogonType) by user

mhpark · ‎08-24-2016

have you tried this?

 | transaction user | table user, src, dest, LogonType | ...

and if you don't want events with no dest,
you should add

dest=*

to your search query.

pradeepkumarg · ‎08-23-2016

index="win*" tag=authentication | stats values(user) by source,dest,LogonType | ....

gautham · ‎08-24-2016

Thank you pradeep for your response.

But this search does not give the expected result. I do not want values(user) . I want unique value of User.

Join the Conversation