Am in a process of creating a report, in which i have URI's from many different hosts hitting from multiple IP's .
Requirement : I would like to have report like this where IP's have a comma separation .
URI Client IP Total count
------------- ---------------- --------------
URI/XYZ/service/ENDPOINT 10.256.85.164,10.528.65.313,10.58,65.198 2500
But my search results this:
sourcetype=xyz index=urx host=jjk* | extract endpoint-extractions | stats count values(clientip) as ClientIP by uri | sort by uri
uri count ClientIP
//Services/Service?MMJD 53 10.166.148.11
10.166.148.15
10.166.149.13
/Services/Orders 22 10.178.5.152
10.178.5.153
I would like to get 30 days report for 2000 plus services from different domains. Can use tstats to have the results quickly.
Please help me with search to get the result for 30 days. Highly appreciate your help. Thanks in advance.
... View more