NetWitness Community

BalvinderjitSin · ‎2018-07-24

Hi,

We use RSA Netwitness Logs & Network for DB logs reporting and have a field which indicates which type of activity is being performed e.g SELECT, UPDATE, DELETE etc.

How can we create a count and total the occurrence of each value, and possibly present this in a chart ?

Regards,

Balvin

DaveGlover · ‎2018-07-24

Balvin

The aggregate functions can be used.

For example if you want to run a report for failed logins and count the username you could do something like the following:

select: username, action, count(username)

If you wanted to add up the amount of bandwidth a user consumed, you could do the following:

select: ip.src,sum(bytes)

There are other functions such as: min,max,first,last

Hope this helps

Dave

BalvinderjitSin · ‎2018-07-25

Hi Dave

The aggregate function will count or sum up total rows and not based on individual values

I am looking at something like this :-

SELECT 201

UPDATE 102

is there another way to achieve this than separate rule for each value ?

Regards,

Balvin

Anonymous · ‎2018-07-27

Balvin,

If the value SELECT is in a single metakey called "action" then the rule below should yield the individual values with the count of the number of times it it has appeared.

Example Report Engine Rule

Name: Count Value Occurrence

Summarize: Event Count

Select: action

Where: medium=32 && device.class='customdb' <---- Made up query insert your query here.

Then: <---- This space intentionally left blank for this example

Groupby: action

Orderby: Value Descending <---- Note "Value" here instead of "Total"

Session Threshold: 0

Limt: 2000

Example output

Action Event Total Events Count

SELECT 1562

UPDATE 806

TRUNCATE 1

I believe this is what you are looking for.

Leonard

NetWitness Community

RSA Netwitness Logs - Count Field Value