How can I use a Conditional if statement on aggregated count value?

Comments

2 comments

  • Avatar
    Mario Sanchez
    Hi Mike, What error are you seeing? You're condition should work correctly, you just need to make sure that line is after the "| top 10... by count" line, otherwise, the field _count would not exist. You can also use this other syntax for an if statement: (_sourceCategory=DomainController AND "Audit Failure") AND "myserver.mydomain.com" | parse ";\n\tTimeGenerated = \"*\";" as time_generated | parse "Source Network Address:\t*Source Port:" as src_ip_address nodrop | parse "Failed:*Account Name:\t\t*Account Domain:" as security_id,user_account nodrop | parse "\tComputer = \"*\";" as node | parse using public/windows/2008 | top 10 user_account,fail_reason,node,wkstation,src_ip_address by count | if(_count > 50, "High", "Warning") as severity Cheers, Mario
    0
    Comment actions Permalink
  • Avatar
    Mike Moody
    Thanks Mario, I was putting the if condition before the top statement. I thought that was required in order to add the severity field to the field list in the top statement.
    0
    Comment actions Permalink

Please sign in to leave a comment.