Count Total of Malware and Nonmalware Events

Count total of malware and nonmalvare events in percentage

Query

logscale
[count(malware, as=_malware), count(nonmalware, as=_nonmalware)]
| total := _malware + _nonmalware
| nonmalware_pct_total := (_nonmalware/total)*100
| malware_pct_total := (_malware/total)*100

Introduction

It is possibe to use the count() function to show the count in percentage of two fields against total. In this example, the function count() function is used to count the field malware and the field nonmalware and have the results returned in percentage. A result set could, for example, be normalware 30%% and nonmalware 70%%.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[\Add Field/] 2[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    [count(malware, as=_malware), count(nonmalware, as=_nonmalware)]

    Returns the counted results of the field malware in a field named _malware and the counted results of the field nonmalware in a field named _nonmalware.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[\Add Field/] 2[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | total := _malware + _nonmalware

    Assigns the total of these events to a new field named total.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[\Add Field/] 2[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | nonmalware_pct_total := (_nonmalware/total)*100
    | malware_pct_total := (_malware/total)*100

    Calculates the _malware and _nonmalware as a percentage of the total.

  5. Event Result set.

Summary and Results

The query is used to get an overview of the total number of malware versus nonmalvare.