I have the following search
index=iis
| eval WebShellActive=if(match($Webshell$,"true"),"Yes",WebShellActive)
| eval LauncherActive=if(match($cs_User_Agent_$,"NeoNative*"),"Yes",LauncherActive)
| eval BrowserFlexActive=if($LauncherActive$="Yes","No",if($WebShellActive$="Yes","No","Yes"))
| bucket span=1d _time
| fillnull value="No" LauncherActive WebShellActive
| stats count by _time GUID LauncherActive WebShellActive BrowserFlexActive
For some users, that use multiple access methods in one day, the results will be as follows.
_time GUID LauncherActive WebShellActive BrowserFlexActive count
1 2016-06-02 TESTER1234 No Yes No 156
2 2016-06-02 TESTER1234 Yes No No 112
3 2016-06-02 TESTER1234 Yes Yes No 34
The desired result would be to drop the count and only have one entry for each user.
The entry would show, by day, by user, each access method used.
_time GUID LauncherActive WebShellActive BrowserFlexActive
1 2016-06-02 TESTER1234 Yes Yes No
Hope you can help!
Thanks,
↧