Hi,
I have a simple alert that runs nightly, it is something like:
index=bluecoat cs_categories="*Forbidden*" | top limit=20 client_ip
Basically shows a report of top 20 clients that access forbidden sites calc/grouped by IP, the format is
client_ip count percentage
I am simply looking to add more fields into this output without changing how it is calculated
Want to say something like
index=bluecoat cs_categories="*Forbidden*" | top limit=20 client_ip | table client_ip user dest count percentage
Can't get it to work. If I add the additional fields after user top limit=20 client_ip, I lose the client_ip grouping and it breaks everything out based on the additional fields. Just looking to add a few info fields into the results and keep the query the same. Thanks