https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-two-datasets-and-count-how-many-times-a-host-appears-even/m-p/1225354#M8162 <P>Let's say I have a dataset with list of hostnames, for ex:</P> <P>&nbsp;</P> <P>cphost cpcluster_name cphost_role<BR />one.example.com Test Subscriber<BR />two.example.com Test Subscriber<BR />three.example.com Test Subscriber<BR />four.example.com Test Subscriber</P> <P>&nbsp;</P> <P>And another dataset with RADIUS auth logs, for example</P> <P><BR />_raw_log<BR />"sourcetype":"syslog_clearpass" "host":"" hostname:one.example.com &lt;135&gt;2025-04-01 16:19:41,65 CPPM_Dashboard_Summary 38932186 1 0 session_id=,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:17:57.076+00,write_timestamp=2025-04-01 16:17:58.899283+00 <BR />"sourcetype":"syslog_clearpass" "host":"" hostname:one.example.com &lt;135&gt;2025-04-01 16:19:41,78 CPPM_Dashboard_Summary 38932506 1 0 session_id=--,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:18:15.564+00,write_timestamp=2025-04-01 16:18:16.022775+00 <BR />"sourcetype":"syslog_clearpass" "host":"" hostname:two.example.com &lt;135&gt;2025-04-01 16:19:41,79 CPPM_Dashboard_Summary 38932516 1 0 session_id=,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:18:16.294+00,write_timestamp=2025-04-01 16:18:18.058162+00 <BR />"sourcetype":"syslog_clearpass" "host":"" hostname:three.example.com &lt;135&gt;2025-04-01 16:19:41,80 CPPM_Dashboard_Summary 38932551 1 0 session_id=,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:18:18.329+00,write_timestamp=2025-04-01 16:18:20.146301+00</P> <P>&nbsp;</P> <P>And I want to join and count the total number of auths for each cphost. So the output would look like this with the data above</P> <P>&nbsp;</P> <P>cphost total_auths<BR />one.example.com 2<BR />two.example.com 1<BR />three.example.com 1<BR />four.example.com 0</P> <P>&nbsp;</P> <P>I know something like this will provide a count of cphosts that show up in the logs</P> <P>&nbsp;</P> <P>dataset = prod_dpa_syslog_raw <BR />| filter _raw_log contains "syslog_clearpass*login*Free-WiFi*login_status*ACCEPT"<BR />| alter cphost = arrayindex(regextract(_raw_log, "hostname:(\S+)"), 0)<BR />| comp count() by cphost as total auths</P> <P>&nbsp;</P> <P>output:</P> <P>cphost total_auths<BR />one.example.com 2<BR />two.example.com 1<BR />three.example.com 1</P> <P>&nbsp;</P> <P>But I also want to display cphosts that have zero auths. What is a good approach of accomplishing that? I've been messing around with "join" but haven't been able to come up with a good solution.</P> <P>&nbsp;</P> <P>For example I tried:</P> <P>dataset = prod_dpa_syslog_raw <BR />| filter _raw_log contains "syslog_clearpass*login*Free-WiFi*login_status*ACCEPT"<BR />| alter cphost = arrayindex(regextract(_raw_log, "hostname:(\S+)"), 0)<BR />| join type = left (dataset = cphost_cluster_role) as role role.cphost = cphost<BR />| comp count() as TotalAccepts by cphost</P> <P>&nbsp;</P> <P>But that just ends up providing total count of all and no cphost breakdown</P> <P>&nbsp;</P> <P>output:</P> <P>totalaccepts cphost<BR />4</P> <P>&nbsp;</P> <P>Any suggestions on how to get the output to look something like this?</P> <P><BR />cphost total_auths<BR />one.example.com 2<BR />two.example.com 1<BR />three.example.com 1<BR />four.example.com 0</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Tue, 01 Apr 2025 16:53:32 GMT CesarSaucedo 2025-04-01T16:53:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-two-datasets-and-count-how-many-times-a-host-appears-even/m-p/1225354#M8162 <P>Let's say I have a dataset with list of hostnames, for ex:</P> <P>&nbsp;</P> <P>cphost cpcluster_name cphost_role<BR />one.example.com Test Subscriber<BR />two.example.com Test Subscriber<BR />three.example.com Test Subscriber<BR />four.example.com Test Subscriber</P> <P>&nbsp;</P> <P>And another dataset with RADIUS auth logs, for example</P> <P><BR />_raw_log<BR />"sourcetype":"syslog_clearpass" "host":"" hostname:one.example.com &lt;135&gt;2025-04-01 16:19:41,65 CPPM_Dashboard_Summary 38932186 1 0 session_id=,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:17:57.076+00,write_timestamp=2025-04-01 16:17:58.899283+00 <BR />"sourcetype":"syslog_clearpass" "host":"" hostname:one.example.com &lt;135&gt;2025-04-01 16:19:41,78 CPPM_Dashboard_Summary 38932506 1 0 session_id=--,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:18:15.564+00,write_timestamp=2025-04-01 16:18:16.022775+00 <BR />"sourcetype":"syslog_clearpass" "host":"" hostname:two.example.com &lt;135&gt;2025-04-01 16:19:41,79 CPPM_Dashboard_Summary 38932516 1 0 session_id=,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:18:16.294+00,write_timestamp=2025-04-01 16:18:18.058162+00 <BR />"sourcetype":"syslog_clearpass" "host":"" hostname:three.example.com &lt;135&gt;2025-04-01 16:19:41,80 CPPM_Dashboard_Summary 38932551 1 0 session_id=,req_source=RADIUS,user_name=,service_name=Free-WiFi -MAC-Auth - Service,alerts_present=0,nas_ip=,nas_port=0,conn_status=Unknown,login_status=ACCEPT,error_code=0,mac_address=,timestamp=2025-04-01 16:18:18.329+00,write_timestamp=2025-04-01 16:18:20.146301+00</P> <P>&nbsp;</P> <P>And I want to join and count the total number of auths for each cphost. So the output would look like this with the data above</P> <P>&nbsp;</P> <P>cphost total_auths<BR />one.example.com 2<BR />two.example.com 1<BR />three.example.com 1<BR />four.example.com 0</P> <P>&nbsp;</P> <P>I know something like this will provide a count of cphosts that show up in the logs</P> <P>&nbsp;</P> <P>dataset = prod_dpa_syslog_raw <BR />| filter _raw_log contains "syslog_clearpass*login*Free-WiFi*login_status*ACCEPT"<BR />| alter cphost = arrayindex(regextract(_raw_log, "hostname:(\S+)"), 0)<BR />| comp count() by cphost as total auths</P> <P>&nbsp;</P> <P>output:</P> <P>cphost total_auths<BR />one.example.com 2<BR />two.example.com 1<BR />three.example.com 1</P> <P>&nbsp;</P> <P>But I also want to display cphosts that have zero auths. What is a good approach of accomplishing that? I've been messing around with "join" but haven't been able to come up with a good solution.</P> <P>&nbsp;</P> <P>For example I tried:</P> <P>dataset = prod_dpa_syslog_raw <BR />| filter _raw_log contains "syslog_clearpass*login*Free-WiFi*login_status*ACCEPT"<BR />| alter cphost = arrayindex(regextract(_raw_log, "hostname:(\S+)"), 0)<BR />| join type = left (dataset = cphost_cluster_role) as role role.cphost = cphost<BR />| comp count() as TotalAccepts by cphost</P> <P>&nbsp;</P> <P>But that just ends up providing total count of all and no cphost breakdown</P> <P>&nbsp;</P> <P>output:</P> <P>totalaccepts cphost<BR />4</P> <P>&nbsp;</P> <P>Any suggestions on how to get the output to look something like this?</P> <P><BR />cphost total_auths<BR />one.example.com 2<BR />two.example.com 1<BR />three.example.com 1<BR />four.example.com 0</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Tue, 01 Apr 2025 16:53:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-two-datasets-and-count-how-many-times-a-host-appears-even/m-p/1225354#M8162 CesarSaucedo 2025-04-01T16:53:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-two-datasets-and-count-how-many-times-a-host-appears-even/m-p/1225473#M8170 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/803155551">@CesarSaucedo</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN class="relative -mx-px my-[-0.2rem] rounded px-px py-[0.2rem]">To achieve this, perform a left join between the <CODE data-start="49" data-end="70">cphost_cluster_role</CODE> dataset and the aggregated authentication counts from the <CODE data-start="129" data-end="150">prod_dpa_syslog_raw</CODE> dataset.</SPAN> Here's a conceptual query:</P> <P>dataset = cphost_cluster_role<BR />| fields cphost<BR />| join type = left (<BR />dataset = prod_dpa_syslog_raw<BR />| filter _raw_log contains "syslog_clearpass*login*Free-WiFi*login_status*ACCEPT"<BR />| alter cphost = arrayindex(regextract(_raw_log, "hostname:(\S+)"), 0)<BR />| comp count() as total_auths by cphost<BR />) as auth_counts on cphost = auth_counts.cphost<BR />| alter total_auths = coalesce(auth_counts.total_auths, 0)<BR />| fields cphost, total_auths<BR />| sort asc cphost</P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking like and&nbsp; on "mark this as a Solution". Thank you.</SPAN></P> Wed, 02 Apr 2025 16:16:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-two-datasets-and-count-how-many-times-a-host-appears-even/m-p/1225473#M8170 aspatil 2025-04-02T16:16:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-two-datasets-and-count-how-many-times-a-host-appears-even/m-p/1225488#M8174 <P>Thank you, I was able to get it working with your suggestions.&nbsp;&nbsp;</P> Wed, 02 Apr 2025 19:02:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/join-two-datasets-and-count-how-many-times-a-host-appears-even/m-p/1225488#M8174 CesarSaucedo 2025-04-02T19:02:18Z