I am looking to do the following:
1) Create a table based on a count of blocks by week number and zone
I have the following search for that:
index="foo" sourcetype=foo
| ip_cidr.csv cidr_range as src
| eval firewall=coalesce(firewall,"null")
| eval context=coalesce(context,"null")
| eval zone=coalesce(zone,"null")
| eval week_month=strftime(_time, "%V")
| bucket span=7d _time
| stats count by week_month,zone
2) Assign a rank for each zone by sorting from highest count to lowest with 1 being assigned to the zone with the highest count, 2 assigned to the zone with the second highest count, etc., i.e.:
Week 43 Rank
Zone 1 - 5
Zone 2- 9
Zone 3 - 1
Zone 4 - 7
Week 44 Rank
Zone 1 - 15
Zone 2- 2
Zone 3 - 11
Zone 4 - 3
I'd like to see the rank for each zone on a weekly basis
Then I'd like to compute the average rank of each zone based on their rankings per week, like so:
Average Rank
Zone 1 - 3
Zone 2- 21
Zone 3 - 10
Zone 4 - 1
Thx
↧