Here is my raw data:
advisories=[Advisory@51046c2f[advisory=6,rule=LOGIN_3,passive=true], Advisory@2f9ea478[advisory=32,rule=LOGIN_30,passive=false], Advisory@795aab36[advisory=29,rule=LOGIN_26,passive=false]],passiveResponse=PassiveResultCollector@482f8caf[passivePrimary=LOGIN_3,passive=true,passiveAction=INTERDICT,passvieRules=[LOGIN_3],allRuleMarkers=[LOGIN_3]]];enter code here
index=sims_prod source=*/authentication-audit.log earliest=-1d@d
|where advisories!="[]"
|rex field=advisories "\[advisory=(?\d+),rule=(?[^,]+),passive=(?[^\]]+)\]" max_match=10
|foreach advisory isPassive [eval activeAdvName=if(isPassive="false",advisory,"null")|eval activeAdvCount= if(isPassive="false",1,0)]
| stats sum(activeAdvCount) as ActiveAdvCount by activeAdvName
Current result:
activeAdvName ActiveAdvCount
29 1
32 1
6 1
activeAdvName ActiveAdvCount
29 1
32 1
and if want to get Passive Advisory Count, i should get
PassiveAdvName PassiveAdvCount
6 1
↧