This is a very dumb solution, but I was looking for a quick and dirty way to see the numbers. Maybe this might spark another idea with someone else.
I amended the search and did this:
| spath input=_raw output=datamodelname path="modelName"
| table datamodelname
| map search="|tstats count($datamodelname$) count from datamodel=$datamodelname$"
So this gave me this table:
Match the zero to the count table, and you get the number of events.
Again, I know it's a lame way to do it, but it works for my intents.
... View more
Here's a sample Log:
Mar 2 09:27:24 Blue_Firewall 1,2018/03/02 09:27:24,00546543517,THREAT,url,1,2018/03/02 09:27:18,18.104.22.168,22.214.171.124,32.0.01.34,126.96.36.199,DG_OUT_Internet-WebBrowse_Allow,arkansas\joeblo,,ssl,vsys1,Genius,Untrust_L3,ethernet1/2.40,ethernet1/1,Fwd-to-Some-Zone,2018/03/02 09:27:18,1662,1,51096,443,44426,443,0x40b000,tcp,alert,"amers2.apps.cp.thomsonreuters.com/",(9999),business-and-economy,informational,client-to-server,757565465,0x8000000000000000,10.0.0.0-10.255.255.255,United States,0,,0,,,0,,,,,,,,0,13,0,0,0,,Firewall-Name,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0
So here's what I want,
If "Red-Firewall" or "Green-Firewall" exists near the bottom of the log (where it says "Firewall-Name"), I want the hostname to be Red-... or Green-..., however, if there is any OTHER name there, or that field is empty, I want it to use whatever is at "Blue_Firewall" location as the hostname.
So far, when there was only 2, I could easily use
Now, I cannot.
... View more