Thanks, this helped me resolve a similar question. I was trying to get a list single list of website actions by IP address for a given date, and this helped me figure it out:

| stats values(actions), earliest(datetime) by src_ip

this puts it all into one list i need them in 2 lists one list for src and one list for dest

this give 0 results

i didnt think you can do 2 stats commands like that in a row because the second one wouldnt have any results because there is no dest ip to count by from the first stats command

... dest_port=*| table src_ip dest_ip dest_port

yeah i tried that already it shows each src and dest ip paired together

what do you want now?

a list of all source ip's and a list of all destination ip's for any given destination port. the way you have it shows each ip talking together i dont need that. I just need a list of the ip's not whats talking to what.

for example, if you've number of port 8000, you want something like this?

dest_port=8000| table src_ip dest_ip dest_port

no so if you do that it lists out multiple results if there are any. for example if there are 10 src ip's that are 1.1.1.1 it list that 10 times. same with dest ip's. so i guess i need unique source ip's and unique dest ip's. sorry i should have put unique values in my question.

Ok now i understand you better. Use de commande dedup to have unique values. Try this:

dest_port=8000| dedup src_ip | dedup dest_ip | table src_ip dest_ip dest_port

yep already tried that one too. It cuts out some of the ip's for some reason. So like if i run my 2 separate searches i get 9 total src ip's and 20 total dest ip's. i run this and its only giving me 8 of each. so 1 src ip and 12 dest ip's disappeared.

i thought i had it with

| dedup src_ip | stats list(src_ip), list(dest_ip) by dest_port

but its still showing multiple of the same dest ip's

that's still grouping them together somehow. Its making multiple rows with not all the same results in each row