| makeresults | eval data=" 08 January 2016 09:10:10 website=abc.com, user=user1, message=blahblah1; 08 January 2016 09:10:11 website=abc.com, user=user1, message=blahblah2; 08 January 2016 09:10:12 website=abc.com, user=user1, message=blahblah2x; 08 January 2016 09:10:13 website=abc.com, user=user1, message=blahblah2xxx; 08 January 2016 09:10:14 website=abc.com, user=user1, message=blahblah2xxx; 08 January 2016 09:10:15 website=abc.com, user=user1, message=blahblah2xxxxx; 08 January 2016 09:10:16 website=abc.com, user=user2, message=blahblah3x; 08 January 2016 09:10:17 website=abc.com, user=user2, message=blahblah3xx; 08 January 2016 09:10:18 website=abc.com, user=user2, message=blahblah3; 08 January 2016 09:10:19 website=abc.com, user=user3, message=blahblah4; 08 January 2016 09:10:20 website=def.com, user=user1, message=blahblah5; 08 January 2016 09:10:21 website=def.com, user=user2, message=blahblah6; 08 January 2016 09:10:22 website=def.com, user=user2, message=blahblah7; 08 January 2016 09:10:23 website=def.com, user=user2, message=blahblah8; 08 January 2016 09:10:24 website=xyz.com, user=user3, message=blahblah9" | makemv data delim=";" | mvexpand data | rex field=data "(?<Timestamp>\d+\s\w+\s\d+\s\d+:\d+:\d+)\s[^\s]+=(?<website>[^\s]+),\s[^\s]+=(?<user>[^\s]+),\s[^\s]+=(?<message>[^\s]+)" | table website user | top 2 user by website showcount=f showperc=f | rename user as User, website as Website
... View more
