I'm experiencing some difficulties when using count, the below search query works by listing sip (source ip) against all the siganmes (signatures) which were triggered against the sip. I'm trying to break this down further with a count of these signatures, so:
sip signature count
22.214.171.124 UDP Flood 4
TCP Flood 56
126.96.36.199 UDP Flood 6
TCP Flood 34
I've constructed the following search:
idp-01 signame=* | transaction sip signame count by eventid | table sip signame |stats list(signame) by sip
eventid is a unique reference for each event, this gives me:
188.8.131.52 UDP Flood
[repeats 56 times]
Any clues where I’m going wrong here?
counting by sip, signame breaks the table with two columns sip and list(signature), with the sip detailing the source ip associated with the signatures triggered. I'm looking for a third column with a count of the number of times each signature was triggered. Each log has a unique field "eventid" so was looking at using this as a counter.