Hi, I'm trying to create a table that shows the breakdown of user with the number of login attempts from a workstation. When I initially ran this, I was seeing a number lower than expected. I checked the Show Missing field and I could see the missing counts but the source workstation now says Missing for each user login. One odd thing is the Missing field is always the highest number for each login attempt. Running a query in Discover shows the correct results.
I'd need to see how you're building the aggregation (the stuff in the "Data" tab) to help you out. If you can't share a screenshot, can you at least explain the fields you're dealing with and how you're aggregating them?
Ok, so you're just splitting on username, and then splitting again on workstation. I'd guess that in your data, you've got records that capture a user's login attempt without a workstation name, which is why you see more attempts with a "Missing" value. Perhaps you have an issue with the way you're collection that information. Can you verify that you do/don't have records with a username but no workstation?
Yep, that was it. After looking at the data more closely, there are many fields that just have a dash instead of the workstation name so it's reading those as Missing.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
