How to search multiple dstIP traffic most efficiently

SimonM — Fri, 25 Feb 2022 00:12:36 GMT

Its a basic request however has been causing me grief:

Easiest / most efficient way to find Destination IP (dstip) for multiple IP list:

I regularly am supplied with a list of IP (10-20) for confirmation

Need to stop using ;

OR "" OR "" OR ""

Like to use simple lookup for multiple dstIP if possible - copy and paste IP scenario

index=? if dstip = 1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 | table hostname, hostip

Yes I'm learning but I super appreciate any help with this easy one > will save me hours

Re: How to search multiple dstIP traffic most efficiently

yuanliu — Fri, 25 Feb 2022 09:35:19 GMT

I am confused. Is this a simple exercise of list operator IN in search? (Search: Comparison expression options)

index=? dstip IN ( 1.2.3.4, 2.3.4.5, 3.4.5.6, 4.5.6.7) | table hostname, hostip