cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cobalt
Loves-to-Learn
Member since: ‎07-26-2021
‎11-15-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-26-2021
View All

Re: Guidance on query that creates a chart over ti...

by in Dashboards & Visualizations
‎07-28-2021 05:50 AM
‎07-28-2021 05:50 AM
@kamlesh_vaghela I figured out the date to render in abbreviated form: index=breaches email=* breach_site=* | rex field="breach_date" "^(?<year>[^-]+)-(?<month>[^-]+)-(?<day>.+)"| eval mon=case(month="01","Jan",month="02","Feb",month="03","Mar", month="04","Apr",month="05","May",month="06","Jun",month="07","Jul", month="08","Aug",month="09","Sep",month="10","Oct",month="11","Nov", month="12","Dec") | chart count by year mon useother=false I just need to tally the amount of "email" as part of overall "breach_site". The current output only shows all emails part of "breach_site" while I need to include "email" as part of "breach_site". Ideally, you can should be able to determine per month how many company emails were part of all emails in a breach. As I mentioned above the below only shows all emails with no breakdown to include company emails. ... View more

Re: Guidance on query that creates a chart over ti...

by in Dashboards & Visualizations
‎07-26-2021 08:42 AM
‎07-26-2021 08:42 AM
Those queries are not working unfortunately @kamlesh_vaghela  My end state is to have one query which extracts the year-month-date, show it as month abbreviated per year that breaks down the number of emails part of overall breaches. Original query: index=all_breaches company_email=* breach=* | rex field="breach_date" "^(?<year>[^-]+)-(?<month>[^-]+)-(?<day>.+)" | eval month=strftime("month","%b") | chart count by year, month The result is this:   However it need to show all months not just January, if I don't abbreviate the months then it works: Once that is working, I would like to show within the same query the emails over breaches as currently you only see the totals for all emails involved in breaches and not the company emails part of it. Ideal query: index=all_breaches company_email=* breach=* | rex field="breach_date" "^(?<year>[^-]+)-(?<month>[^-]+)-(?<day>.+)" | ##Abbreviate month query## | chart count by year, month ## query to show company emails per all breaches across each month## ... View more

Re: Guidance on query that creates a chart over ti...

by in Dashboards & Visualizations
‎07-26-2021 04:11 AM
‎07-26-2021 04:11 AM
Sure @kamlesh_vaghela  "firstname.lastname@company.com","2008-07-01","MySpace" The above is the format for the fields: email, date, breach site Some of the dates have a space after them which is why I have to do a regex on them. ... View more

Guidance on query that creates a chart over time o...

by in Dashboards & Visualizations
‎07-26-2021 03:06 AM
‎07-26-2021 03:06 AM
Hello, I have 2 queries related to a chart I am creating in relation to showing company email addresses part of data breaches represented as a stacked column chart. The first issue is the conversion of the year and month breakdown using regex: index=all_breaches company_email=* breach=* | rex field="breach_date" "^(?<year>[^-]+)-(?<month>[^-]+)-(?<day>.+)" | eval month=strftime("month","%b") | chart count by year, month The issue with the above query is that I want to convert the month to abbreviated month e.g. Jan, Feb rather than 01,02. This query only shows the first month (Jan) rather than all months (changing eval month is "mon" results in Null value field). How do show all months represented in abbreviated form? **See the chart below that uses this query index=all_breaches company_email=* breach=* | rex field="breach_date" "^(?<year>[^-]+)-(?<month>[^-]+)-(?<day>.+)" | chart count by year, month Second issue, how do I edit the above search  to show the "company_email" as part of the "breach" that is already broken down into months? Ideally the company_email forms part of the breach column chart per month. Thanks in advance! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-15-2021 12:21 PM