Hi,
We use RSA Netwitness Logs & Network for DB logs reporting and have a field which indicates which type of activity is being performed e.g SELECT, UPDATE, DELETE etc.
How can we create a count and total the occurrence of each value, and possibly present this in a chart ?
Regards,
Balvin
Hi Dave
The aggregate function will count or sum up total rows and not based on individual values
I am looking at something like this :-
SELECT 201
UPDATE 102
is there another way to achieve this than separate rule for each value ?
Regards,
Balvin
Balvin,
If the value SELECT is in a single metakey called "action" then the rule below should yield the individual values with the count of the number of times it it has appeared.
Example Report Engine Rule
Name: Count Value Occurrence
Summarize: Event Count
Select: action
Where: medium=32 && device.class='customdb' <---- Made up query insert your query here.
Then: <---- This space intentionally left blank for this example
Groupby: action
Orderby: Value Descending <---- Note "Value" here instead of "Total"
Session Threshold: 0
Limt: 2000
Example output
Action Event Total Events Count
SELECT 1562
UPDATE 806
TRUNCATE 1
I believe this is what you are looking for.
Leonard
Balvin
The aggregate functions can be used.
For example if you want to run a report for failed logins and count the username you could do something like the following:
select: username, action, count(username)
If you wanted to add up the amount of bandwidth a user consumed, you could do the following:
select: ip.src,sum(bytes)
There are other functions such as: min,max,first,last
Hope this helps
Dave