Hi Mark
I tried, it gives results, but just for one index at time.
Here is the query 0
index=XXXX OR XXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR | rex"(?[\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}][^,]+)" | rename XX_1 as IP | rename XX_2 as IP | rename XX_3 as IP | rex "W+s+(?d{1,3}.d{1,3}.d{1,3}.d{1,3}[^s+W+s+])" | rex "comings+froms+(?d*D*w*)" | rex "XXXs+XXXs+(?d{1,3}.d{1,3}.d{1,3}.d{1,3})" | rex "W(?d{1,3}.d{1,3}.d{1,3}.d{1,3}[^,])" | rename IPAddress as IP | rename XX_4 as IP | iplocation IP | stats count values(index) by Country
... View more