My results are like...
src_ip src_geo count
55.89.12.11 US 25
I want the result to be like...
src_ip and src geo count
55.89.12.11 - US 25
I want this so I can create a chart that shows the src_ip associated with a country and the count.
the src_ip and src_geo - I want this to be a new field
I figured it out..
direction="external" sourcetype="sidewinder" action=blocked src_geo="US" OR src_geo="CA" | eval src_ip_and_src_geo=src_ip." - ".src_geo | top src_ip_and_src_geo showperc=f
Use eval
to concatenate the field values together into a new field:
<yourbasesearch> | eval src_ip_and_src_geo=src_ip." - ".src_geo | stats count by src_ip_and_src_geo
When I did this - my count was 1 for each, so I made a few changes..
direction="external" sourcetype="sidewinder" action=blocked src_geo="US" OR src_geo="CA" | top src_ip, src_geo showperc=f | eval src_ip_and_src_geo=src_ip." - ".src_geo | fields - src_ip fields - src_geo
This looks like I want it to, but it will not chart?