This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Grouping fields in report

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-04-10 03:35 AM

Hi,

it is possible to create report with grouping fields and number of events? Something like this: ip.src, ip.dst, count

 

Regards

Arek

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-04-20 10:43 PM

In 10.4, you can use lookup_and_add with count. Refer SAdocs for additional syntax,https://sadocs.emc.com/0_en-us/090_10.4_User_Guide/90_Report/10_Rule/00_RuleOverview/RulSyntax/NWDBRulSyntax

 

Select-->ip.src,ip.dst,count(ip.src)

Where-->ip.src exists && ip.dst exists

Then-->lookup_and_add(ip.dst,ip.src,1000)

 

In 10.5 upcoming release, there is native support of group by and order by and syntax would be like,

 

Select-->ip.src,ip.dst,count(ip.src)

Where-->ip.src exists && ip.dst exists

Group by--> ip.src,ip.dst

Order by-->any of the meta fields available in Select

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎2015-04-20 10:39 AM

Not easily unless you have the warehouse component.

 

The best you can do for now is to use aggregate and lookup_and_add() - see sadocs.emc.com for examples.

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-04-20 05:27 PM

This feature is coming in 10.5.  Concentrator will have native support for group by and order by clauses in the query language.

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-04-20 10:43 PM

In 10.4, you can use lookup_and_add with count. Refer SAdocs for additional syntax,https://sadocs.emc.com/0_en-us/090_10.4_User_Guide/90_Report/10_Rule/00_RuleOverview/RulSyntax/NWDBRulSyntax

 

Select-->ip.src,ip.dst,count(ip.src)

Where-->ip.src exists && ip.dst exists

Then-->lookup_and_add(ip.dst,ip.src,1000)

 

In 10.5 upcoming release, there is native support of group by and order by and syntax would be like,

 

Select-->ip.src,ip.dst,count(ip.src)

Where-->ip.src exists && ip.dst exists

Group by--> ip.src,ip.dst

Order by-->any of the meta fields available in Select

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.