Create separate field to show total

Follow
Avatar
Brad Corey

I have this query that counts distinct users and groups them by VPN device. The counts for each is fine but I would like the TOTAL to be a separate field showing the sum of all users connected.

(_sourceCategory=Cisco/VPN)
|parse regex"\<\d+\>(?<dte>[^:]+:\d+:\d+)\s(?<host>[^:]+):\s\%(?<event>[^:]+):\sGroup\s\<(?<group>[^\>]+)\>\sUser\s\<(?<user>[^\>]+)\>\sIP\s\<(?<ip>(?:\d+\.){3}\d+)\>\s(?<msg>.*)"
| where msg = "Client Type: Cisco AnyConnect VPN Agent for Windows 4.10.05085"
| count_distinct (user) as device_conn group by host,device_conn  | total device_conn 

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Jorge Silva

    Not sure I understand your question. Isn't the "total" operator already doing what you are asking? It is showing you the total sum of all users connected in a separate field. 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post