I am having some difficulty formatting a table the way I would like.
I am monitoring port state for a couple different ports on a few different machines.
Currently this is my search string:
sourcetype=port_scan (dst_port=443 OR dst_port=80 OR dst_port=4000 OR dst_port=43500 OR dst_port=43501) | dedup dest_ip | stats latest(dst_port_state) AS "state" by _time,dest_ip,dst_port,dest_host
This is what my output looks like:
I was wondering if anyone knew a way for it to look like this:
time, dest_ip, dest__host,"80 state", "4000 state"
12:00pm, 10.10.10.10,hostname, UP, DOWN
I'm thinking that I would need to make each port a field, and then report their status, but I don't know i'm missing an easier way?
Try this workaround
sourcetype=port_scan (dst_port=443 OR dst_port=80 OR dst_port=4000 OR dst_port=43500 OR dst_port=43501) | dedup dest_ip| eval allfields=strftime(_time,"%Y-%m-%d %H:%M:%S").",".dest_ip.",".dest_host | eval dst_port =dst_port." State"| chart latest(dst_port_state) AS "state" over allfields by dst_port | rex field=allfields "(?<Time>.*),(?<dest_ip>.*),(?<dest_host>.*)" | fields - allfields
This works really well for reporting, but what if I wanted to run a realtime search?