Dear community I am struggling with how to allow different format in a search input, but still finding the corresponding events In my events I have mac addresses of this format 84-57-33-0D-B4-A8 I have built a dynamic dashboard where the mac adresses are found if the user types in exactly this format . However the user might search for a mac address like this  8457330DB4A8  or 84:57:33:0D:B4:A8 so in order to find results successfully, I have to recalculate the two inputs, so that are changed to the expected format. So a test query like this recalculates the first format |makeresults | eval m = "aab2c34be26e" | eval MAC2 = substr(m,1,2)."-".substr(m,3,2)."-".substr(m,5,2)."-".substr(m,7,2)."-".substr(m,9,2)."-".substr(m,11,2) | fields MAC2   a test query like this recalculates the second format: |makeresults | eval m = "aa:c3:4b:e2:6e" | eval MAC2 = replace (m,":","-") | fields MAC2   But I am failing to combine it to a joint query dependent on the input if my $mac$ address can be all three formats, then I have to choose the recalculation dependent on the input.   My idea would be to write a condition  with a regex match of $mac$ with   ([0-9A-Fa-f]{2}[-]){5}  then no  recalculation ([0-9A-Fa-f]{2}[:]){5} then  replace like shown above ([0-9A-Fa-f]{2}){5} then  substitute like shown above   I tried several ways of CASE and IF, but never got it to work... any help highly appreciated! Thanks     ... View more

Hi Everybody: I need a little help with statistics: I use this search to list all Calling_Station_IDs. In the example table below  I can find two different values for  RadiusFlow_Type, for some one one value...   mysearch | fields RadiusFlowType, Calling_Station_ID | dedup Calling_Station_ID,RadiusFlowType | table Calling_Station_ID RadiusFlowType     Calling_Station_ID RadiusFlowType A1 Wired802 A1 MAB A2 Wired802 A2 MAB A3 MAB A4 MAB A5 Wired802   So I want to get a distinct number of how many calling_station_ids do Wired802 and get that number as a percentage of ALL Calling Station IDs If I do like this, I can count the number of Calling_Station IDs which do Wired802, which in this case would be three: mysearch | fields RadiusFlowType, Calling_Station_ID | dedup Calling_Station_ID,RadiusFlowType | table Calling_Station_ID RadiusFlowType |stats count(eval(RadiusFlowType="Wired802_1x")) AS Wired_Clients so that is fine:-) But I want to calculate also the total of all unique calling_station_IDs (in this example it would be 5), so that I can calculate the percentage  of clients who do either one or both flow types .  Somehow I fail to count the total in the same search and output that in a table... How can I get an output in a table like this ?   Total distinct count Calling_Station_ID Total Wired Clients Percentage_wired MAB Only CLients Percentage_mab   5 3 3/5*100 2 2/5*100       thanks 🙂 ... View more

Hi I am using this search in order to find out what Bluecoat filter categories cause the most bandwidth utilization index=bluecoat mysearch | fields sc_filter_category sc_bytes | eventstats sum(sc_bytes) as allbytes | stats sum(sc_bytes) as "totalbytes" by sc_filter_category,allbytes | eval "Bandwidth(MB)"= round(totalbytes/(1024*1024),2) | eval Percentage=(totalbytes/allbytes)*100 | sort 10 -"Bandwidth(MB)" Tis seems to work fine. My result is as an example a table like this sc_filter_category allbytes, Bandwidth(MB), Percentage category1, 100, 20,20 category2,100, 11,11 category3,100,10,10 category4,100,5,5 So what I would like to do is then in a second search be able to list what top two URLs cause the most bandwidth for each category. The output would look like this Category Top-URLs category1 www.abc.com, www.def.com, www.ghi.com category2 www.abc1.com, www.def1.com, www.ghi1.com I am not able to find out how to search dynamically using the result of the first search... any help appreciated. ... View more