Get unique values from an active channel
Hey all 🙂
I would like to know how can I get uniques values from an active channel.
For example, I made an active channel that shows logon logs from an IP address, but the results contain many users. I want to see only 1 event per user.
One solution to this problem is through the "inline filter", it is possible to press the drill down arrow and see the results uniquely. However, the results only loads up when you scroll down and see an event with such a result. For instance, I can press the drill down arrow and see some users that logged in, and then scroll down the active channel and see more users afterwards.
... a workaround might be to use a query and a query viewer to get unique results. (but I'm afraid that's not what you where looking for (and you probably know that queries/query viewers can do this)).
If your on ESM versions 6.5 and above the fastest way will be to use the command centers (the web console) event search search to display uniqe values of fields
for example use the following search synatx
deviceVendor = "Microsoft" AND deviceAddress = "10.0.0.1" | dedup sourceUserName
To get all of the unique sourceUserNames
Attached are a few screenshots