I'm wondering if anyone has attempted to dedup specific meta like user.agents from IIS logs in the reporting engine of NetWitness?XDudADtNBir2yWTvsAvML3S8A4BmZKPAABc5iGXZy0M= TnCNqFbwCBwNT2aUaQOZPvE3tSL3jJyeOvABeYMBjJM=
I can use aggregates like distinct, which gives me a count, but I need the actual values.
In the above example I expect the bottom 100 results (thus Ascending) order. However what RE returns is a ton of instances where user.agent = '-' for instance. Not deduping the results.
Is there a method where I can do this in the Then clause for instance?
I went through all the docs I have but cannot locate anything that is helpful here.
My end goal is to take this "sample" data over a period of time and compare it to some larger dataset just to get a very rough estimate of rare user agent string increases over a sustained period of time. (Yes I realize this metric is a tad meaningless but I have to start somewhere).
Thanks for your help/ideas!
1 ACCEPTED SOLUTION
Accepted Solutions
