I have a listing of top denied connections that lists the src_ip, dest_ip, count for the top 10 denied connections that match an eventtype pattern (eventtype=UT*)
Each row in the table relates to a unique eventtype UT1234, UT2345, UT4567 ..etc
How can I have the output table of the top 10 denied connections show the eventtype (that matches a UT* pattern, there could be a few eventtypes that might match - eventtype=firewall-deny, eventtype=tivoli) for each row?
1.1.1.1 2.2.2.2 20 UT1234
1.1.1.2 2.2.2.3 19 UT2345
1.1.1.3 2.2.2.4 18 UT4567
THis feels like it should be some form of appending to the top command but I havent found the appropriate one yet.
Any ideas?
Let me restate it and see if I get it? It sounds like you have a search like:
<your search terms> eventtype=UT* | stats count by src_ip, dest_ip
or maybe you're using the top
command to do the same thing. (use stats, it's cooler)
<your search terms> eventtype=UT* | top src_ip, dest_ip
and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.
But if that's the case, the answer is pretty easy so it seems unlikely:
<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count
or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so:
<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count
Let me restate it and see if I get it? It sounds like you have a search like:
<your search terms> eventtype=UT* | stats count by src_ip, dest_ip
or maybe you're using the top
command to do the same thing. (use stats, it's cooler)
<your search terms> eventtype=UT* | top src_ip, dest_ip
and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.
But if that's the case, the answer is pretty easy so it seems unlikely:
<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count
or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so:
<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count