I'm trying to produce an alert based on a user logged in w/ 2 ips within 10 minutes. I have a way to determine if they have it, however, i would like to see the IPS addresses they had in the alert. How can i achieve this?
The following will trigger, but need to see the ips as well.
index="w3logs" earliest = -10m
| eval tempx = split(X_Forwarded_For,",")
| eval ip=mvindex(tempx,0)
| stats dc(ip) as dup by cs_username | where dup > 1
Hi @zippo706,
You can simply add values(ip) function to stats command to display ip addresses;
index="w3logs" earliest = -10m
| eval tempx = split(X_Forwarded_For,",")
| eval ip=mvindex(tempx,0)
| stats dc(ip) as dup values(ip) as ip by cs_username | where dup > 1
Try this assuming your data is normalized and X_Forwarded_For is a custom header extraction:
index=w3logs earliest=-20m
| eval src=coalesce(mvindex(split(X_Forwarded_For, ","), 0), src)
| streamstats time_window=10m dc(src) as src_count by user
| where src_count > 1 AND _time > relative_time(now(), "-10m")
| stats min(_time) as _time values(src) as src by user
| eval src=mvjoin(src, ",")
| table _time user src
Replace user with cs_username if needed.