The following search is not giving me what I want..
sourcetype="sidewinder" action="blocked" direction="internal" | top 100 src_ip, dest_port, dest_ip
What I really want is the top src_ip, and then all the destination ip(s) associated with the src_ip. Better yet, with the dest_port.
So I would like for it to look something like this...
src_ip dest_ip dest_port count
122.22.15.51 58.25.66.95 53 200
95.55.41.55 443 178
85.99.55.32 1935 87
125.55.98.52 128.22.19.23 443 925
125.15.15.89 53 839
sourcetype=sidewinder action=blocked direction=internal | stats count,values(dest_ip) by src_ip | sort - count | head 100
and if you want the port too:
sourcetype=sidewinder action=blocked direction=internal | eval dest_ip_port=dest_ip.":".dest_port | count,values(dest_ip_port) by src_ip | sort - count | head 100
stats count
I know the thread is very old but what if I want to add another Column with total counts of events for each src_ip
Search operation 'count' is unknown.
Use a subsearch to get the source IP first, then get the top dest_ip/dest_port pairs:
* [
search sourcetype="sidewinder" action="blocked" direction="internal"
| top 1 src_ip
| fields sourcetype action direction src_ip
]
| top 100 dest_ip,dest_port
And if I want the source IP displayed in the results?