I am looking through log files and building a report that will give a list of usage based off those logs. Currently I am only showing one of the values, Portallogins, but additional data will be pulled in a similar fashion where Action will be one value and another column will be another value. I am using the following and the results of 'Portal Logins' is always 0 when it should not be. Any suggestions on what is wrong in this query would be greatly appreciated.
sourcetype = drupal_app_logs domain_type = "clientportal" email != "*surfspamfree.com" email ="*@littler.com"
|dedup _time,message
|eval mytime=strftime(_time, "%Y-%m-%d-%T")
|eval Portallogins=if((action="User Login" AND domain="Login Portal"),1,0)
|stats sum(Portallogins) as "Portal Logins" by email
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,last_login,"Portal Logins",company
|sort company
↧