AnsweredAssumed Answered

Dedup reporting engine results for top 100 User Agents?

Question asked by KEVIN DIENST on Feb 27, 2017
Latest reply on Apr 10, 2017 by KEVIN DIENST

I'm wondering if anyone has attempted to dedup specific meta like user.agents from IIS logs in the reporting engine of NetWitness?Joe Gumke John Snider

 

I can use aggregates like distinct, which gives me a count, but I need the actual values. 

 

 

In the above example I expect the bottom 100 results (thus Ascending) order. However what RE returns is a ton of instances where user.agent = '-' for instance. Not deduping the results. 

 

Is there a method where I can do this in the Then clause for instance?

 

I went through all the docs I have but cannot locate anything that is helpful here. 

 

My end goal is to take this "sample" data over a period of time and compare it to some larger dataset just to get a very rough estimate of rare user agent string increases over a sustained period of time. (Yes I realize this metric is a tad meaningless but I have to start somewhere). 

 

Thanks for your help/ideas!

Outcomes