| tstats summariesonly=true allow_old_summaries=true dc(All_Application_State.Ports.transport_dest_port) as "port_count" from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Ports by "All_Application_State.dest" | rename "All_Application_State.dest" as "dest" | where 'port_count'>20
Hey @javiergn,
Can you try using this query:
| tstats summariesonly=true allow_old_summaries=true dc(All_Application_State.Ports.transport_dest_port) as "port_count"
from
datamodel=Application_State.All_Application_State
where
nodename=All_Application_State.Ports AND
All_Application_State.Ports.transport_dest_port < "1025"
by
"All_Application_State.dest"
| rename "All_Application_State.dest" as "dest"
| where 'port_count'>20
Let me know if this helps!!
Sorry for late replay. But also no luck with your modifications. @deepashri_123
is the datamodel accelerated?
@deepashri_123
Yes. datamodel is accelerated. I am able to run by default search but not able to run with your modification. The result is empty. It does not show any error.
Maybe something like this (NOT TESTED as I don't have Enterprise Security installed):
| tstats summariesonly=true allow_old_summaries=true dc(All_Application_State.Ports.transport_dest_port) as "port_count"
from
datamodel=Application_State.All_Application_State
where
nodename=All_Application_State.Ports
All_Application_State.Ports.transport_dest_port >= 1
All_Application_State.Ports.transport_dest_port <= 1024
by
"All_Application_State.dest"
| rename "All_Application_State.dest" as "dest"
| where 'port_count'>20
It is pretty much your search with 2 filters in the where clause in order to look for ports 1-1024, assuming that field is a number of course.
Hope that helps,
J
Thanks @javiergn
But it's not working.
Hi, what kind of error do you get? or is it just empty?
sorry to late replay. @javiergn
It's empty.