Hi All ,
i have an event as below
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2018-03-06 12:07:31.427 0.002 TCP 10.96.164.13:55796 -> 10.75.77.56:445 3 132 1
2018-03-06 12:07:31.430 0.001 TCP 10.96.164.13:55805 -> 10.75.77.1:445 3 132 1
2018-03-06 12:07:31.431 0.001 TCP 10.96.164.13:55806 -> 10.75.77.1:445 3 220 1
2018-03-06 12:07:34.437 0.001 TCP 10.96.164.13:56129 -> 10.75.77.1:445 3 269 1
2018-03-06 12:07:34.498 0.002 TCP 10.96.164.13:56134 -> 10.75.77.2:445 3 132 1
2018-03-06 12:07:34.500 0.001 TCP 10.96.164.13:56135 -> 10.75.77.2:445 3 220 1
2018-03-06 12:07:37.510 0.000 TCP 10.96.164.13:56489 -> 10.75.77.2:445 3 269 1
2018-03-06 12:07:37.571 0.001 TCP 10.96.164.13:56490 -> 10.75.77.3:445 3 132 1
2018-03-06 12:07:37.573 0.002 TCP 10.96.164.13:56491 -> 10.75.77.3:445 3 220 1
2018-03-06 12:07:40.581 0.003 TCP 10.96.164.13:56863 -> 10.75.77.3:445 3 269 1
2018-03-06 12:07:40.645 0.002 TCP 10.96.164.13:56872 -> 10.75.77.4:445 3 132 1
2018-03-06 12:07:40.646 0.002 TCP 10.96.164.13:56873 -> 10.75.77.4:445 3 220 1
2018-03-06 12:07:43.655 0.001 TCP 10.96.164.13:57193 -> 10.75.77.4:445 3 269 1
2018-03-06 12:07:43.717 0.002 TCP 10.96.164.13:57195 -> 10.75.77.5:445 3 132 1
2018-03-06 12:07:43.719 0.002 TCP 10.96.164.13:57196 -> 10.75.77.5:445 3 220 1
2018-03-06 12:07:46.728 0.001 TCP 10.96.164.13:57575 -> 10.75.77.5:445 3 269 1
...
2018-03-06 12:16:02.280 0.577 TCP 10.96.164.13:49972 -> 10.75.77.240:445 2 104 1
2018-03-06 12:16:03.356 1.014 TCP 10.96.164.13:50104 -> 10.75.77.241:445 3 152 1
2018-03-06 12:16:04.433 0.562 TCP 10.96.164.13:50234 -> 10.75.77.242:445 2 104 1
2018-03-06 12:16:05.509 0.561 TCP 10.96.164.13:50361 -> 10.75.77.243:445 2 104 1
2018-03-06 12:16:06.586 0.576 TCP 10.96.164.13:50489 -> 10.75.77.244:445 2 104 1
2018-03-06 12:16:07.662 0.607 TCP 10.96.164.13:50616 -> 10.75.77.245:445 2 104 1
2018-03-06 12:16:08.741 0.559 TCP 10.96.164.13:50745 -> 10.75.77.246:445 2 104 1
2018-03-06 12:16:09.815 0.577 TCP 10.96.164.13:50835 -> 10.75.77.247:445 2 104 1
2018-03-06 12:16:10.891 0.609 TCP 10.96.164.13:50966 -> 10.75.77.248:445 2 104 1
2018-03-06 12:16:11.968 0.998 TCP 10.96.164.13:51096 -> 10.75.77.249:445 3 152 1
2018-03-06 12:16:13.044 1.014 TCP 10.96.164.13:51225 -> 10.75.77.250:445 3 152 1
2018-03-06 12:16:14.121 0.578 TCP 10.96.164.13:51356 -> 10.75.77.251:445 2 104 1
2018-03-06 12:16:15.196 0.998 TCP 10.96.164.13:51484 -> 10.75.77.252:445 3 152 1
2018-03-06 12:16:16.273 0.515 TCP 10.96.164.13:51623 -> 10.75.77.253:445 2 104 1
2018-03-06 12:16:17.349 0.546 TCP 10.96.164.13:51751 -> 10.75.77.254:445 2 104 1
2018-03-06 12:16:18.536 0.530 TCP 10.96.164.13:51879 -> 10.75.52.94:445 2 104 1
2018-03-06 12:16:19.658 0.999 TCP 10.96.164.13:52009 -> 10.75.41.195:445 3 152 1
2018-03-06 12:16:20.782 0.576 TCP 10.96.164.13:52142 -> 10.75.33.196:445 2 104 1
2018-03-06 12:16:21.913 0.561 TCP 10.96.164.13:52272 -> 10.75.249.84:445 2 104 1
2018-03-06 12:16:23.029 0.000 TCP 10.96.164.13:52403 -> 10.75.22.193:445 1 52 1
2018-03-06 12:16:24.158 0.000 TCP 10.96.164.13:52531 -> 10.75.137.51:445 1 52 1
2018-03-06 12:16:25.280 0.515 TCP 10.96.164.13:52659 -> 10.75.207.231:445 2 104 1
2018-03-06 12:16:26.408 0.000 TCP 10.96.164.13:52791 -> 10.75.152.227:445 1 52 1
I need the count of each port in the event.
index=* 1520558807000 | rex field=_raw max_match=0 "([[ipv4]])" | rex field=_raw max_match=0 "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}:\d{1,5})" | rex field=IP_add "(?[^:]+):(?\d+)" |eval eventportcnt=mvcount(dst_port) | where eventportcnt >10 |stats values(dst_port) values(eventportcnt)
The above query gives me the total count of different ports in the event. i am expecting the below output.
Port count
445 40
55796 1
Please help........
... View more