I am working on a graph in order to identify the most pinging customer accounts (traffic optimization, security). I would like to add the field clientip (relative to the customer-account, of course) in another column.
The top would be to have the graph, and when I pass the mouse over a bar, it should display the customer-account and the clientip. But if I can have at least the graph and the data below, that would be good enough.
| chart count BY customer-account | sort -count |head 50
I tried many ways, but I have an error, or no match. I don't see how to do that. Is it possible?
So I did it this is way to have the column I want.
| chart mode(clientip) AS ip_adress, count BY customer-account | sort -count | head 50
I use mode in case a customer account have more than one clientip in the events. (e.g someone using a smartphone or a laptop).
Now I need to find how to keep clientip in the statistics, but remove it from the visualization (or display it in an other way. But this is another question.
So I did it this is way to have the column I want.
| chart mode(clientip) AS ip_adress, count BY customer-account | sort -count | head 50
I use mode in case a customer account have more than one clientip in the events. (e.g someone using a smartphone or a laptop).
Now I need to find how to keep clientip in the statistics, but remove it from the visualization (or display it in an other way. But this is another question.
Give this a try
your base search | eval customer-account='customer-account'.":".clientip | chart count BY customer-account | sort -count |head 50
OR
your base search | chart count over customer-account by clientip | addtotals | sort -Total | head 50