topic Re: Is there a way to flip the values of fields? Ex: sourceIP to destinationIP by simply using a command in Knowledge Management

Is there a way to flip the values of fields? Ex: sourceIP to destinationIP by simply using a command

jrodriguez233 — Fri, 26 Apr 2019 20:24:29 GMT

Here is what I'm trying to do. Say I have 10 servers being targeted by several public IP addresses, is there anyway to flip the values where instead of having to copy all the 10 internal IP address as source and finding all the public IP addresses?

Example query:

index=myfirewall | table srcIP,destIP,action

Output scenario:
100 attacking IPs -> 10 servers

Desired outcomes:

1

100 src attacking IPs -> 10 destination servers | "flip?"

10 src servers IPs -> 100 destination IP addresses

2

Any internal source IP -> 100 destination attacking IP addresses (without having to copy the entire list)

Re: Is there a way to flip the values of fields? Ex: sourceIP to destinationIP by simply using a command

daniel333 — Sat, 27 Apr 2019 03:54:00 GMT

Maybe soemthing like this?

| eval  temp_src = src_ip 
| eval  temp_dest = dest_ip 
| eval src_ip = temp_test
| eval dest_ip = temp_src

Re: Is there a way to flip the values of fields? Ex: sourceIP to destinationIP by simply using a command

woodcock — Sun, 28 Apr 2019 02:37:17 GMT

Like this:

index=firewall
| stats dc(srcIP) AS count values(srcIP) AS destIPs BY destIP
| where count>100