This is a search string I inherited and for the most part has worked fine. There is a desire to modify it and thought I would seek help.
index=firewall host=10.214.0.11 NOT src_ip=172.26.22.192/26 | stats count by src_ip, dest_ip | appendpipe [| stats sum(count) as count by src_ip |eval keep=1 | eventstats sum(count) as total_log_count ] | appendpipe [| stats sum(count) as count by dest_ip |eval keep=1 | eventstats sum(count) as total_log_count ] |where keep=1| sort -count | head 20 | where total_log_count > 1000000
Below example outputs received, separate instances:
src_ip |
dest_ip |
count |
keep |
total_log_count |
192.168.14.11 | 39164 | 1 | 1008943 | |
192.168.14.11 | 32239 | 1 | 1008943 | |
10.80.0.243 | 31880 | 1 | 1008943 | |
143.251.111.100 | 30773 | 1 | 1008943 | |
156.33.250.10 | 15544 | 1 | 1008943 | |
192.242.214.186 | 13793 | 1 | 1008943 | |
172.253.63.188 | 12359 | 1 | 1008943 | |
192.168.5.46 | 12346 | 1 | 1008943 | |
192.168.10.146 | 10987 | 1 | 1008943 | |
192.168.3.19 | 9079 | 1 | 1008943 | |
192.168.3.195 | 8970 | 1 | 1008943 | |
192.168.3.18 | 8074 | 1 | 1008943 | |
172.18.3.42 | 7709 | 1 | 1008943 | |
192.168.14.23 | 7647 | 1 | 1008943 | |
192.168.5.46 | 7583 | 1 | 1008943 | |
172.253.63.188 | 6549 | 1 | 1008943 | |
172.33.250.10 | 5806 | 1 | 1008943 | |
192.168.24.65 | 5654 | 1 | 1008943 | |
172.253.115.188 | 5494 | 1 | 1008943 | |
192.168.24.134 | 4388 | 1 | 1008943 |
src_ip |
dest_ip |
count |
keep |
total_log_count |
87.114.132.220 | 45441 | 1 | 1005417 | |
192.168.35.6 | 39597 | 1 | 1005417 | |
192.168.14.15 | 31629 | 1 | 1005417 | |
172.30.5.9 | 16348 | 1 | 1005417 | |
10.80.0.243 | 15444 | 1 | 1005417 | |
196.199.95.18 | 13883 | 1 | 1005417 | |
172.253.62.139 | 12703 | 1 | 1005417 | |
192.168.12.45 | 11957 | 1 | 1005417 | |
172.253.115.188 | 10010 | 1 | 1005417 | |
192.168.3.19 | 9676 | 1 | 1005417 | |
192.168.35.16 | 9641 | 1 | 1005417 | |
192.168.5.146 | 9290 | 1 | 1005417 | |
192.168.25.46 | 7440 | 1 | 1005417 | |
172.253.115.188 | 7292 | 1 | 1005417 | |
192.168.3.18 | 6163 | 1 | 1005417 | |
192.168.39.18 | 6063 | 1 | 1005417 | |
176.155.19.207 | 5818 | 1 | 1005417 | |
4.188.95.188 | 4947 | 1 | 1005417 | |
5.201.73.253 | 4942 | 1 | 1005417 | |
45.225.238.30 | 4938 | 1 | 1005417 |
Is there a way to modify the query such that it only triggers if there is a single entity causing logs greater than a certain number (e.g. 50000) in combination with the total logs also being over a certain threshold? There is still a desire to see an output reporting the top 20 IPs.
Your time, consideration and helpful suggestions is appreciated.
Thank you.
BTW, I did try the following modification, but the result was not what is desired:
index=firewall host=10.214.0.11 NOT src_ip=172.26.22.192/26 | stats count by src_ip, dest_ip | appendpipe [| stats sum(count) as count by src_ip |eval keep=1 | eventstats sum(count) as total_log_count ] | appendpipe [| stats sum(count) as count by dest_ip |eval keep=1 | eventstats sum(count) as total_log_count ] |where keep=1| sort -count | head 20 | where total_log_count > 500000 AND count > 30000
I received the following output which eliminated the rest of the IPs I was hoping to see:
src_ip | dest_ip | count | keep | total_log_count |
192.168.23.5 | 39035 | 1 | 785936 | |
192.168.23.5 | 31974 | 1 | 785936 |