index=appproxy sourcetype=bcoatproxysgapp OR sourcetype=bcoatproxyclientapp categories="Malicous Sources" OR "Botnets" | stats count by username,host,referrer | count> 1 | table _time username,host,referrer filterresults
Do elaborate on what you actually need help with.
There's likely a syntax error in
| count > 1 | due to lack of a search command such as
where - both will achieve what you wanted and throw out events with
Sure - this looks like a search that returns information. However, it probably won't get the categories you are looking for. The below splits out the categories into the cim field "category". If this works for what you are looking for, then it makes sense.
index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app category="Malicous Sources" OR category="Botnets" | stats count by username,host,referrer | where count> 1 | table _time username,host,referrer filter_results
Additionally, after the
stats there are no
filter_results columns, so listing them in
table doesn't seem to make sense to me.