I've been working on a query for Cisco ISE to compare what authorization devices are getting and to count when their authorization changes. Only the two most recent authentication attempts are of interest. This query works, but I'm hoping someone can help get me to something more efficient as this takes quite a bit of time to run against a 24 hour period.
sourcetype=cisco:ise:syslog log_type=Pass*
| eventstats list(SelectedAuthorizationProfiles) as authz by Calling_Station_ID
| eval authz1=mvindex(authz, 1),
authz2=mvindex(authz, 2)
| eventstats values(authz1) as authz1 values(authz2) as authz2 by Calling_Station_ID
| where authz1!=authz2
| timechart span=1h limit=0 dc(Calling_Station_ID) as "# of Changes"
↧