Hello! I have learned so much from this community over the years but there is one query I am trying to write that I cannot figure out.
I have a number of logs each containing four fields, each of those fields have a unique set of a few values. I am trying to do a count for each unique value and put it in a three column table including the field name, value, and count. I know I can hard-code all the values to give them a category/field name but as these values change over time I would rather not have to do that if possible.
Log examples
key exchange algo: dh-group-exchange-sha256, public key algo: ssh-dss, cipher algo: aes128-cbc, mac algo: sha256
key exchange algo: ecdh-sha2-nistp256, public key algo: ssh-rsa, cipher algo: aes256-ctr, mac algo: sha256
Desired result:
field
cipher
count
keyExchange
dh-group-exchange-sha256
##
keyExchange
ecdh-sha2-nistp256
##
publicKey
ssh-dss
##
publicKey
ssh-rsa
##
etc.
Is there a way to do this besides hard-coding a field for each cipher?
For reference, here is how I am pulling the two column list of cipher | count without the field name:
base search
| eval cipher=keyExchange.";".publicKey
| makemv delim=";" cipher
| stats count by cipher
This also works for two columns but appears to be a bit slower
| eval cipher = mvappend(keyExchange,publicKey)
| mvexpand cipher
| stats count by cipher
Thanks!
... View more