Hi,
i am creating a correlation between two different event sources and then run a transaction based on the src ip like so:
index=i1 OR index=i2|transaction src_ip|table src_ip,value_from_index1,value_from_index2
Now I would like to have a column that tells me how many events of index1 and index2 each are in the result.
Something like |eval foo=mvcount(value_from_index1) gives me the number of different events, but I want the total number.
Any help would be appreciated.
Konstantin
Are you sure you need to make a transaction? stats
can usually do much of the tasks (and faster), along these lines;
index=i1 OR index=i2 | stats c(index1_field) c(index2_field) by src_ip
/K
or make a timechart
You can use | bucket _time span=5m / bin to group events time wise.
OK i forgot to put the 'maxspan=5m' in the search string. That's why I did it as a transaction as I only want to match those that happen in a certain time frame.