Hi all,
I am going to try and keep this as simple as I can and explain only what I am trying to achieve and what I have to work with...
Okay, so:
I have a search:
index=foo
Which provides data with the fields:
rule_name
dest_ip
dest_port
I want to display the following:
rule_name - count of times the rule occurs - dest_ip - dest_port - count of times "rule_name,dest_ip,dest_port" combination occurs.
Example data:
"foo-rule" "101.101.101.1" "8080"
"foo-rule" "101.101.101.1" "8080"
"foo-rule" "101.101.101.2" "8081"
"bar-rule" "101.101.101.5" "8080"
Example return:
foo-rule - 3 - 101.101.101.1 - 8080 - 2
foo-rule - 3 - 101.101.101.2 - 8081 - 1
bar-rule - 1 - 101.101.101.5 - 8080 - 1
Any ideas???
Thanks guys,
Very much appreciate your help.
Aaron.
Probably something like :
... | eval ip_port=dest_ip.";".dest_port
| stats count as rule_ip_port_count by rule_name ip_port
| eventstats sum(rule_ip_port_count) as rule_count by rule_name
| rex field=ip_port (?<dest_ip>.*);(?<dest_port>.*)
| fields - ip_port
Edit - typo
Probably something like :
... | eval ip_port=dest_ip.";".dest_port
| stats count as rule_ip_port_count by rule_name ip_port
| eventstats sum(rule_ip_port_count) as rule_count by rule_name
| rex field=ip_port (?<dest_ip>.*);(?<dest_port>.*)
| fields - ip_port
Edit - typo
good spot.
Mate, your the best!
Exactly what I am after, only thing I had to correct was in your first line...
dest_ip.";"dest_port
Needed to become:
dest_ip.";".dest_port
I assumed the . was to concat.
Cheers again,
Aaron.