In creating rules for NetWitness, I'm attempting to create a count rule (read: custom) that counts grouped meta tags. For example, consider the following data:
| group.id | username | client |
| 100 | bob | audit |
| 200 | adam | sudo |
| 100 | adam | su |
| 200 | adam | sudo |
| 100 | bob | audit |
With a rule definition of:
Summarize: Custom
Select: group.id, username, client, count(username)
Where:
Group By group.id, username, client
Then:
Order By:
Session Threshold: 0
Limit:
I expect output data like the following:
| group.id | username | client | count |
| 100 | bob | audit | 2 |
| 200 | adam | sudo | 2 |
| 100 | adam | su | 1 |
However, when I run this rule, I get (understandably) data like the following:
| group.id | username | client | count |
| 100 | bob | audit | 2 |
| 200 | adam | sudo | 3 |
| 100 | adam | su | 3 |
While I understand why my rule definition yielded the data it did, I'm at a loss to figure out how to get the data I want. How do I get the count for aggregated/grouped columns?
