Hi,
I have a search produces the following 4 events, I'd like to filter all events for an IP if any event for that IP has I2A=1, i.e. filter out both events for 1.1.1.1 and the final results should only keep the two events for 2.2.2.2
| IP | A2I | I2A |
| 1.1.1.1 | 1 | 0 |
| 1.1.1.1 | 0 | 1 |
| 2.2.2.2 | 0 | 0 |
| 2.2.2.2 | 1 | 0 |
Thanks.
Hello
You can use the eventstats command to get this
yourbasesearch | eventstats max(I2A) as MAXI2A by IP | search MAXI2A="0" | ...
Regards
Hello
You can use the eventstats command to get this
yourbasesearch | eventstats max(I2A) as MAXI2A by IP | search MAXI2A="0" | ...
Regards
Thanks for your solution.