Hi @gcusello thanks for that. My end result would be to figure out which hosts are sending only internal address for a 24 hour period. These hosts send both internal and external address in the c_ip and Client_IP field.

Hi @alexrod03,
Sorry but I don't understand your need:
you have the destination IP in field c_ip or in field Client_IP
i think that you're using an internal IP addressing different than the external,
Is this correct?
If yes, you could use this IP addresses to filter your logs in both the fields.

If the addresses are too many, you could put them in a lookup and use it to filter your logs.

Ciao.
Giuseppe

So these hosts send internal and external IP address in the c_ip and Client_IP field. Is there a way to filter out which hosts are only sending internal address for a 24 hour period?

Hi @alexrod03,
is there an IP addressing plan in your company (e.g. all the internal addresses start with 10: e.g. 10.x.x.x)?
If not, the only way is to have a list of internal IP ranges (in a lookup or from another search) and use it to filter events.

Ciao.
Giuseppe

Yes there is an internal range. So in essence c_ip=InternalRange OR Client_IP=InternalRange. But I want to alert when c_ip or Client_IP are ONLY sending internal range for 24 hour period. Normally c_ip and Client_IP send a mixture of and internal range and external IP's. Hopefully this makes sense.

Hi @alexrod03,
yes now it more clear:
you have to distinguish internal from external ranges,
try something like this:

index=IIS (host=Host1 OR host=Host2 OR host=Host3 OR host=Host4)
| eval ip=coalesce(c_ip,Client_IP)
| eval kind=if(ip=Internal_Range,"Internal","External")
| stats values(kind) AS kind BY host
| where kind=Internal

Ciao.
Giuseppe

I am getting an error. Error in 'eval' command:The number "range" is invalid

have you single IPs or IP ranges?
Ciao.
Giuseppe

Doing a range. Example 192.0.0.0/8

try with quotes, e.g. "10.0.0.0/8":

index=IIS (host=Host1 OR host=Host2 OR host=Host3 OR host=Host4)
| eval ip=coalesce(c_ip,Client_IP)
| eval kind=if(ip="10.0.0.0/8","Internal","External")
| stats values(kind) AS kind BY host
| where kind=Internal

Ciao.
Giuseppe

That worked no errors but no results. So basically I want know if one of those hosts is only sending 192.0.0.0/8 ip's under the c_ip and Client_IP field.

To debug, choose an IP that is surely present and check if the search gives results.
If yes try with star (e.g.: "10.0.0.*")
if not, use the first two rows and see which values there are in the ip field, probably this is the problem.

Ciao.
Giuseppe

So I have this query but it's not showing the hosts I know for a fact are only sending internal IP's. If I remove the other hosts and only keep the one that is sending internal IP's it works.

Index=IIS (host=Host1 OR host=Host2 OR host=Host3 OR host=Host4
| eval theIP=if(isnull(Client_IP), c_ip, Client_IP)
| eval isExternal=if(cidrmatch("192.0.0.0/8",theIP), "internal", "external")
| stats count AS "Total" by isExternal, host
| where isExternal="external" AND Total <0