Hi,
I'm experiencing some difficulties when using count, the below search query works by listing sip (source ip) against all the siganmes (signatures) which were triggered against the sip. I'm trying to break this down further with a count of these signatures, so:
sip signature count
1.1.1.1 UDP Flood 4
TCP Flood 56
2.2.2.2 UDP Flood 6
TCP Flood 34
I've constructed the following search:
idp-01 signame=* | transaction sip signame count by eventid | table sip signame |stats list(signame) by sip
eventid is a unique reference for each event, this gives me:
sip list(signature)
1.1.1.1 UDP Flood
UDP Flood
UDP Flood
TCP Flood
TCP Flood
TCP Flood
TCP Flood
[repeats 56 times]
Any clues where I’m going wrong here?
Thanks.
... View more