thanks for your responses....
so new to complex searches...
Restating the scenario: Using the firewall logs, I am trying to find common website/destination IP that 3 known users have in common...due to bad guy activity on the src_IP, like malware
So I could set a custom filter for the block of time...to remove that complexity.
I tried the following - no results
src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=2d _time | stats dc(src_ip) as ips by dest_ip
The following had 12000 events no matches...But I know they all three had gone to the same dst_ip in the last 2 hours...
src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=120m _time | stats dc(src_ip) as ips by dest_ip
I tried the following custom time set - no results
src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | stats dc(src_ip) as ips by dest_ip
I tried the following custom time set - Error in Stats command
(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333) type=TRAFFIC | stats count(src_ip) as COUNT dst_ip src_ip
The following with custom time set results in 10085
(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333) type=TRAFFIC| stats count(src_ip) as COUNT
... View more