Thank you, "xyseries User Sec_Module Status" solved the question.
I am unclear as to what lines 12 and 13 are doing in your solution? Would you mind expanding?
A follow up question, the xyseries summarises on the User, however each user can attempt to log on to the VPN multiple times in the search time period. I used transaction to associate the Sec_Module results with each attempt (using a maxspan=3s). This does not work however with the xyseries output since it groups it all into one event.
Is there a way to apply a grouping to the User so that each evaluation attempt can be separated in the xyseries output?
Many Thanks,
Matt
To give example;
index="vpn_log" packet_engine_name=CLISEC_EXP_EVAL| eval status=if(like(cli_eval_status,"%FAILED%"),"Failed","Passed")| transaction User maxspan=3s | table User,sec_module,status,_time
will show 7 authentication attempts over 24 hours for one user
index="vpn_log" packet_engine_name=CLISEC_EXP_EVAL| eval status=if(like(cli_eval_status,"%FAILED%"),"Failed","Passed") | xyseries User sec_module status
will show 1 authentication attempt over the same 24 hours for one user.
... View more