topic Getting too many destination ip addresses. Need to filter it down to 5 in Getting Data In

Getting too many destination ip addresses. Need to filter it down to 5

ecabrera81 — Tue, 29 Sep 2020 11:15:10 GMT

Trying to filter down to 5 search results for the dest section.

Re: Getting too many destination ip addresses. Need to filter it down to 5

somesoni2 — Fri, 30 Sep 2016 14:38:09 GMT

Could you provide more details on what the expected output is (and what you're getting right now)?

Re: Getting too many destination ip addresses. Need to filter it down to 5

ecabrera81 — Fri, 30 Sep 2016 14:53:12 GMT

Thanks for the response. For output i would like for either src or dest section ip address to display only 5 ip addresses for each section. As of now i am just scrolling down too many ip addresses.

Re: Getting too many destination ip addresses. Need to filter it down to 5

somesoni2 — Fri, 30 Sep 2016 15:19:19 GMT

The transaction command is generating those multivalued fields for src and dest ip addresses. There is no option in transaction command to limit how many values to show, so you'd need to use eval expression, after transaction command to limit the number of results to be show. Like this

For single field (say dest where you want to reduce the number of ip addresses to be shown per event) to be limited to 5 values.

index=threat_activity threat_match_field=src threat_match_value=* | iplocation src | transaction threat_match_value |table src dest dest_port threat_key Country orig_sourcetype | search Country!= "United States" | eval dest=mvindex(dest,0,4)

For multiple fields

index=threat_activity threat_match_field=src threat_match_value=* | iplocation src | transaction threat_match_value |table src dest dest_port threat_key Country orig_sourcetype | search Country!= "United States" | foreach src dest [ eval <<FIELD>>=mvindex('<<FIELD>>',0,4) ]

Re: Getting too many destination ip addresses. Need to filter it down to 5

ecabrera81 — Fri, 30 Sep 2016 15:58:35 GMT

Thank you!