The problem of my stats seems to be on the index with the OR : index="fw_paloalto" ((sourcetype="pan:globalprotect" AND log_subtype="connected") OR (sourcetype="pan:system" AND log_subtype="auth" AND signature="auth-fail")) Without it, i have good results. I'm not sure i can navigate between 2 sourcetypes as I do. Or i do it wrong  ... View more

I just tried to visualize datas on my timechart (for the both dc(eval()) which works) and i only have 2 points on midnight yesterday with the number of connection. Ideally, i would like to have a timechart by week with the number of connection and auth-failed per day like this graph : I thank you a lot for your help ... View more

Same thing,   index="fw_paloalto" ((sourcetype="pan:globalprotect" AND log_subtype="connected") OR (sourcetype="pan:system" AND log_subtype="auth" AND signature="auth-fail")) | stats dc(eval(if(sourcetype="pan:globalprotect" AND log_subtype="connected" AND match(host, "(?i)PA-3020"),user,null()))) AS "Connected to PA-3020" dc(eval(if(sourcetype="pan:globalprotect" AND log_subtype="connected" AND match(host, "(?i)PA-820"),user,null()))) AS "Connected to PA-820" c(eval(if(sourcetype="pan:system" AND log_subtype="auth" AND signature="auth-fail" AND match(host, "(?i)PA-3020"),host,""))) AS "auth-fail to PA-3020" c(eval(if(sourcetype="pan:system" AND log_subtype="auth" AND signature="auth-fail" AND match(host, "(?i)PA-820"),host,""))) AS "auth-fail to PA-820"   Actually, the result is like that : (time = yesterday) Connected to PA-3020 /  Connected to PA-820 / auth-fail to PA-3020 / auth-fail to PA-820 221 => OK 32 => OK 531 531 ... View more

I tried with "" instead of null(). Now i have the same result for both. The number of events seems OK but the counts doesn't arrive to separate them by PA-3020 or PA-820 ( index="fw_paloalto" AND log_subtype="connected") OR (sourcetype="pan:system" AND log_subtype="auth" AND signature="auth-fail") | stats c(eval(if(log_subtype="auth-fail" AND match(host, "(?i)PA-3020"),host,""))) AS "auth-fail to PA-3020" c(eval(if(log_subtype="auth-fail" AND match(host, "(?i)PA-820"),host,""))) AS "auth-fail to PA-820" ... View more

( index="fw_paloalto" AND log_subtype="connected") OR (sourcetype="pan:system" AND log_subtype="auth" AND signature="auth-fail") | stats c(eval(if(log_subtype="auth-fail" AND match(host, "(?i)PA-3020"),user,null()))) AS "auth-fail to PA-3020" c(eval(if(log_subtype="auth-fail" AND match(host, "(?i)PA-820"),user,null()))) AS "auth-fail to PA-820" Thats works perfectly for the both dc() But for the two count, that sorts 0 as result. When i check in events, i well see the events with auth-fail and users. Thanks a lot, i will soon stop to disturb you ... View more

Yes, i tried. In statistics tab : With space, that sorts me 1 as result. With null(), that sorts me 0 as result  Thanks 😄  ... View more

Hello, Thanks to you 2 for your answers, that helps me a lot in term of syntax ! When i do that research ( the first line of stats) : index="fw_paloalto" | stats dc(eval(if(sourcetype="pan:globalprotect" AND log_subtype="connected" AND host="PA-3020*",user,null()))) AS "Connected to PA-3020" That displays good events with name of users.  But in the statistics tab, that sorts me 0. Do you have any idea ? I don't felle rly comfortable with IF for the moment. Thanks a lot by advance, Have a good day. Dimitri ... View more