I have a search and subsearch. The search looks for an IP addresses occurring more than 50 times and returns the count.
SEARCH: | stats dc(User) as UserCount, count by SourceIP | where count > 50
Then the subsearch appends its results under the listed SourceIPs.
| appendcols [search | rex ".USER_ID=(?<DynamicUser>(.?));" | stats , values(DynamicUser) as DynUser, count by clientip | where count > 50 ]
The results are:
clientip.......................count...........DynamicUser
63.73.199.69...............107.................10512
...........................................................12768
...........................................................138934
...........................................................27102
...........................................................3195242
...........................................................3203
...........................................................32160
...........................................................334304
What I want to include is an individual count of each DynamicUser, which would total 107 in the example. Any help would be appreciated.
If I am understanding you, this should do it:
[ ...| stats dc(User) as UserCount, count by SourceIP AS clientip | where count > 50 | field clientip ] | rex ".USER_ID=(?<DynamicUser>(.?));" | stats count by clientip DynamicUser ]
If I am understanding you, this should do it:
[ ...| stats dc(User) as UserCount, count by SourceIP AS clientip | where count > 50 | field clientip ] | rex ".USER_ID=(?<DynamicUser>(.?));" | stats count by clientip DynamicUser ]
Thank you for the help