dear all
i have logs including fields src-ip,hit-count,attack-dst-ip, and etc.
if i wanna show results table as follows
src-ip, src-ip-city, sum(hit-count), seperate attack-dst-ip, seperate sum(hit-count) by attack-dst-ip
1.1.1.1 Los Angles, 10, 5.5.5.5, 2
6.6.6.6, 3
7.7.7.7, 5
here src_ip may have different attack-dst-ip and its corrensponding sum of hit-count,
how can i do this?
i use following search
host="xxx" | fields * | geoip src-ip | where src-ip_countryname="xxx" | stats sum(hit-count), values(dst-ip), list(hit-count) by src-ip, src-ip-city
but list command will list all values rather than sum(hit-count) by previous attack-dst-ip,any good suggestions?thanks a lot.
Use stats count by (src_ip)
i think you might missunderstand what i mean. anyway,thanks