I am looking at a firewall. I am trying to find only results where there are more than 20 distinct ports per source.
stats dc(port) by soure_ipaddr
I would like to use something like a where command. I was thinking of using a | where dc(port) > 20, but I get an error when I try that. What should I do to convert the results of the dc(port) to a value that where can use?
You would need to use eventstats
command to calculate dc(port) per source_ipaddr (adding another field without reducing/filtering) and then apply your where clause. like this
your base search
| eventstats dc(port) as ports by soure_ipaddr
| where ports>20
| ...rest of the search
is it possible to apply on the filters the dc(account_id) for example ?
dc(port) as total .... | where total > 20
You would need to use eventstats
command to calculate dc(port) per source_ipaddr (adding another field without reducing/filtering) and then apply your where clause. like this
your base search
| eventstats dc(port) as ports by soure_ipaddr
| where ports>20
| ...rest of the search