your sample check:
| makeresults
| eval _raw="SESSION_AUTH_ID,CONNECTION_COUNT
a,178
b,65
v,36
d,21
e,12
f,12
g,10
h,8
h,5
f,4
f,4
l,3
o,2
z,2"
| multikv forceheader=1
| table SESSION_AUTH_ID,CONNECTION_COUNT
| eventstats sum(CONNECTION_COUNT) as total
| stats list(*) as * by total
| eval tmp=mvzip(SESSION_AUTH_ID,CONNECTION_COUNT)
| eval result =if( total > 200, mvindex(tmp,0,4),"the total count is smaller than 200")
| table total result
recommend:
index= aab sourcetype=topconnections earliest=-10m latest=-5m
| table SESSION_AUTH_ID , CONNECTION_COUNT
| eventstats sum(CONNECTION_COUNT) as total
| stats list(*) as * by total
| eval tmp=mvzip(SESSION_AUTH_ID,CONNECTION_COUNT)
| eval result =if( total > 200, mvindex(tmp,0,4),"the total count is smaller than 200")
| table total result
| rex field=result "(?<SESSION_AUTH_ID>[^\,]+),(?<CONNECTION_COUNT>.+)"
| table total result SESSION_AUTH_ID CONNECTION_COUNT
Hi folks. how about this?
... View more