I have been stumped on this all afternoon and I finally decided to ask this question here. Today I just can't figure this out. It seems easy enough, but I'm having a problem making it happen!
sourcetype=addstorm earliest=-2d@d latest=-0d@d | rex field=_raw "(?P<date>[^;]+);(?P<Registrar>[^;]+);(?P<domains>\d*);(?P<hosts>\d*);(?P<contacts>\d*)" | table Registrar domains hosts contacts | dedup Registrar | where domains>700
The above search looks at the field "domains" and shows me ones where domains>700. However I want the search to also look at the fields hosts and contacts as well.
So I want something like | where domains OR hosts OR contacts > 700
I just can't get it to happen. Any ideas? I tried some eval commands, even using the "if" statements but i can't seem to get it right.
I agree with Kristian - more information would be valuable. However, to answer the simplest iteration of your question, this may be more appropriate:
| search domains >700 OR hosts > 700 OR contacts > 700
I agree with Kristian - more information would be valuable. However, to answer the simplest iteration of your question, this may be more appropriate:
| search domains >700 OR hosts > 700 OR contacts > 700
this worked. Thanks. Perhaps I was over thinking things!
Without really knowing what you want to do, or what your log data is, I believe that your missing something. Based on your search above, I believe that you want some type of aggregation of data, like "make a list of all Registrars who have registered more than 700 domains". Your search, as it is now, does not do that.
However, your data may already contain the count. It may also be so that your dedup
command removes data that would be needed for further calculations, since it only keeps the first occurrence and discard the rest.
Please post a few sample events, and perhaps your desired output.
/kristian