I know I must be close but missing something with this.
I have a CSV containing Group_Name which are VPN groups. I want to take that list of about 185 groups and use them to search our Cisco ASA for which groups are being used over a time period.
I have a form that does this one by one with the search to grab all the groups as:
|inputcsv ASA_VPN_Groups.csv | fields Group_Name
and the search to count the number of times accessed over the period as:
index=index01 VPN_Group=$Group_Name$ |timechart count(_raw) as num |stats sum(num)
Now I want to put them together into a table that will show me each group and how many times it has been used over the time period
Any suggestions will be very much appreciated.
index=index01 [|inputcsv ASA_VPN_Groups.csv | rename Group_Name AS VPN_Group | fields VPN_Group] | timechart count(_raw) AS num BY VPN_Group
Hmm, that just gives me the total number of times the VPN has been accessed (I assume by all groups).
Maybe I wasn't clear, I would like a table with groups and times accessed e.g.:
Group 1 --- 210
Group 2 --- 51
Group 3 --- 0
Group 4 --- 75
OK! Now I am getting some groups to show as columns in a table with daily counts however, after 5 groups it is lumping the rest into "Other".
Also is there a way to not show daily but just the cumulative number of all days AND put the groups down the vertical as Rows?
See my ASCII "art" above 😉
Thanks so much!
index=index01 [|inputcsv ASA_VPN_Groups.csv | rename Group_Name AS VPN_Group | fields VPN_Group] | stats count(_raw) AS num BY VPN_Group