Jan 29 2018
09:50 AM
- last edited on
Apr 07 2022
04:52 PM
by
TechCommunityAP
Jan 29 2018
09:50 AM
- last edited on
Apr 07 2022
04:52 PM
by
TechCommunityAP
Hello,
I would like to sum two custom fields I created for failed logins in linux. Each field extracts a user name based on similar events (2 separate events though) and then I want to have a count that sums both those events based off the username into 1 count so I can get a better understanding of the total number of times that account performed the activity.
Note: sometimes one of the custom fields may not have data, while the other one does.
The query is as follows (this is looking for failed login attempts in Linux):
Jan 29 2018 03:46 PM
Sean,
Sounds like a great opportunity to use the fairly recently-introduced coalesce() command! Try the following (or click here to open it in our demo environment):
datatable (Computer: string, FailedPasswordUName_CF: string, PAMUser_CF: string, count_: int) [ "AZR02-blurryid", "", "j.doe", 3, "AZR02-blurryid", "j.doe", "", 7, "AZR02-blurryid", "", "root", 2208, "AZR02-blurryid", "root", "", 6540 ] | extend commonUID = coalesce(FailedPasswordUName_CF, PAMUser_CF) | summarize sum(count_) by commonUID
Jan 29 2018 04:03 PM
Exactly what I needed, worked perfectly. Thank you!
Feb 01 2018 09:58 AM
Hi,
Other than the elegant solution that Evgeny proposed, I have few other comments on your query:
Thanks,
Meir
Feb 03 2018 09:15 AM
Thanks Meir, ill make the recommended changes and check out the other functions.