Hello all,
I have the following search:
index="vpn_gateway" eventtype="vpn-authall" |
stats dc(vpnuid) by vpnclient |
search "dc(vpnuid)" > 1 |
fields vpnclient, dc(vpnuid) |
sort -dc(vpnuid)
This command searches our VPN index for any authentication events, counts them by source IP addresses, and if a particular IP has signed in on 2 or more accounts, the IP address and number of users is returned:
vpnclient | dc(vpnuid)
10.0.8.1 | 2
10.0.2.2 | 3
What I'd like to do is also include the ID of the users. The output should look as follows:
vpnclient | dc(vpnuid) | userid
10.0.8.1 | 2 | jsmith, smatthews
10.0.2.2 | 3 | bcarol, jjefferson,jsmith
Is this possible? I'm at a loss.
try this:
index="vpn_gateway" eventtype="vpn-authall"
| stats dc(vpnuid) values(userid) as unique_user_ids by vpnclient
| search "dc(vpnuid)" > 1
| fields vpnclient, dc(vpnuid) unique_user_ids
| sort -dc(vpnuid)
you dont really need the fields
command there as stats
brings back only the fields you are "statsing"
hope it helps