Using multiple operators in a single query



  • Official comment
    Graham Watts

    Hi Arron,

    It's hard to confirm without testing but Yit seems like you may be able to use the accum and total operators here, can you try this approach?

    _sourceCatagory=test _sourceName=test
    | parse ip_address...
    | parse server...
    | count by ip_address,_sourcehost
    | sort ip_address
    | total _count by ip_address
    | 1 as counter
    | accum counter by server
    | where _accum >1

    Comment actions Permalink
  • Avatar
    Aaron Stratton

    Hi Graham,

    Thank you this is brilliant. I implemented your counter and used accum and total like you did in your example and we have exactly what we were looking for. This has saved me a lot of headaches.

    Comment actions Permalink
  • Avatar
    Graham Watts

    Happy to help Aaron, I am a fan of doing it all in one search if possible! 

    Comment actions Permalink

Please sign in to leave a comment.