("conn=" AND "IP=") | rex field=_raw "conn=(?\d+)" | join connum [search "err=49" AND "conn" | rex field=_raw "conn=(?\d+)"] | rex field=_raw "from IP=(?\d+.\d+.\d+.\d+)" | stats count by src_ip

succeed to search but is it correct?

for example in openstack error 49 is OpenLDAP login error, then search 255737 this conn value and find 192.168.226.5:46662
for each conn number and show a table which one column is conn number , second column is count number, third column is ip address

Mar 21 14:43:51 icns01 slapd[2344]: conn=255735 fd=20 ACCEPT from IP=192.168.226.5:46662 (IP=0.0.0.0:636)

Mar 21 14:43:51 icns01 slapd[2344]: conn=255737 op=0 RESULT tag=97 err=49 text=