Display network failures during the previous week
index=main sourcetype=linux_secure (fail* OR invalid) earliest=-7d@d
Display network failures
... [Show More] during the previous week & retrieve only user, app, and src_ip
index=main sourcetype=linux_secure (fail* OR invalid) | fields user app src_ip
00:02
01:38
During the last hour, display the top 5 IPs that generated the most attacks (fail/invalid)
index=main sourcetype=linux_secure (fail* OR invalid) earliest=-h@h | top limit=5 src_ip
Display the top 3 common values for users(cs_username) and web categories (x_webcat_code_full) browsed during the last 24 hours
index=main sourcetype=* earliest=-24h@h | top cs_username x_webcat_code_full limit=3
Display the top 3 web categories(x_webcat_code_full) browsed by each user (cs_username) during the last 24 hours
index=main sourcetype=* earliest=-24h@h | top x_webcat_code_full by cs_username limit=3
Display the top 3 users(cs_username) for each web category(x_webcat_code_full) during the last 24 hours
index=main sourcetype=* earliest=-24h@h | top cs_username by x_webcat_code_full limit=3
Display the top 3 user/web categories combinations during the last 24 hours. Rename the count field and show count, but not the percentage
index=main sourcetype=* earliest=-24h@h | top cs_username x_webcat_code_full limit=3 showperc=f countfield="Total Viewed"
Identify which product(product_name) is the least sold by vendors over the last 60 minutes
index=main sourcetype=access_combined_wcookie | rare product_name limit=1 showperc=f
Count the invalid or failed login attempts during the last 60 minutes. Rename it to "Potential Problems".
index=main sourcetype= (invalid OR fail) earliest=-60m@m | stats count as "Potential Problems"
Count the number of events by user, app, and vendor action during the last 15 minutes
index=main sourcetype=* earliest=-15m@m | stats count by user, app, vendor_action
Count the number of events during the last 15 minutes that contain a vendor action field. Rename the vendor field to ActionEvents. Also count the total events as TotalEvents
index=main sourcetype=* earliest =-15m@m | stats count(vendor_action) as ActionEvents, count as TotalEvents
How many unique websites have all employees visited in the last 4 hours? Label the output as "Websites Visited"
index=main sourcetype=* earliest=-4h@h | stats dc(websites) as "Websites Visted"
How much bandwidth(sc_bytes) did employees consume at each website during the past week? Rename the output to Bandwidth and sort by the most to least bandwidth
index=main sourcetype=* earliest=-7d@d | stats sum(sc_bytes) as Bandwidth by website | sort -Bandwidth
Report the number of retail units sold and sales revenue for each product during the previous week
index=main sourcetype=* | stats count(price) as SoldUnits sum(price) as TotalSales by product_name | sort -TotalSales
this counts the number of times a product has been bought and lists it by SoldUnits
then it sums the price for each product by the number of times it was sold and lists it as TotalSales [Show Less]