We are delighted to announce that Log Search now supports grouping by multiple fields in your log data. By running a single query, you can easily drill down into your log data for in-depth analysis, while still getting an overall view of your data.
Read on to find out how to get this rich insight into your log data, without exporting data to a BI tool or opening multiple browser windows.
How to use LEQL Multi-groupby
Let’s start with a common example of a “groupby” query: viewing login attempts per user. This log data is available in the “Asset Authentications” log set in Log Search.
groupby(destination_user) calculate(count)
This query will show the users with the highest number of login attempts. But you probably want to see a bit more context—were these login attempts all from the same device or country code? What was the result of these attempts?
By adding additional fields, this level of drill-down is now possible without needing to run multiple queries in different tabs. Simply add up to five fields in a single groupby query to get extra insights.
Using the example above, let’s expand the query so more information about the login attempts can be easily viewed. You can do this by typing additional keys in the “Advanced” querybuilder mode, or you can use the buttons provided in “Simple” mode.
This query will add the following information about the login attempts: result, the service, and the IP address of the asset.
groupby(destination_user, result, service, source_asset_address) calculate(count)
When this query is run, the data looks a bit diffe ..
Support the originator by clicking the read the rest link below.
