I am attempting to get the top values from a datamodel and output a table.
The query that I am using:
| from datamodel:"Authentication"."Failed_Authentication"
| search app!=myapp
| top limit=20 user app sourcetype
| table user app sourcetype count
This gets me the data that I am looking for.. however, if a user fails to authenticate to multiple applications, for example: win:remote & win:auth, they will have two entries in the table:
for example:
user1, win:remote, wineventlog:security, 100
user1, win:auth, winreventlog:security, 80
Ideally, I would like a table that reads:
user1, win:remote; win:auth, wineventlog:security, 180
Is there a way to concatenate? or combine these fields for each top user?
↧