Variables :
LoginString
Connections
UT=10
UT=45
Essentially, I want to grab the login string where UT=45and then tie that LoginString to the Connections. I want to then count the number of times UT=10 happens on that same connection, and group that count by LoginString in a timechart
[01/May/2015:20:39:47 -0400] Connections=12345 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=12345 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="randomString"
[01/May/2015:20:39:47 -0400] Connections=12345 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=223333 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:39:47 -0400] Connections=223333 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
[01/May/2015:20:40:47 -0400] Connections=55555 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:40:47 -0400] Connections=55555 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
[01/May/2015:20:40:47 -0400] Connections=55555 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:40:47 -0400] Connections=55555 - RESULT error=0 UT=10 nentries=0 etime=0.000000
[01/May/2015:20:40:47 -0400] Connections=55555 random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
In this case, the timechart should have 3 dots with 2 of them being the same color.
randomstring would have 2 and veryUnRandom would have 1 for the first dot and 3 for the second dot
I am close in that I am using `eventstats values(LoginString) as LoginStringby conn | where tag=10| timechart span=1h count by LoginString`, but it's giving me the connection instead.
Any advice?
↧