Hey Giuseppe,

thanks for your answer. But unfortunately this doesn't help me with my problem.
With this commands I get the following output.

 SourceIP     Domains            count
  127.0.0.1     www.google.com     6
  127.0.0.1     www.reddit.com      6
  127.0.0.2    www.google.com      6

I don't want a single line for the identical ip.
Regards, Max

Hi hypePG,
it's not so easy but try this:

your_search
| stats count by client_host domain
| eval col=domain+" - "+count 
| stats values(col) AS col values(domain) AS domain by client_host 
| rex field=col "[^-]\s-\s(?<count>\d+)" 
| table client_host domain count
| rename client_host as SourceIP domain AS Domains

Bye.
Giuseppe

Hey @cusello,

I got one further question. I played a little with your search. If i want to add an additional filter, where i only want to see the IP Adresses which have more than "X" requests I added:

 | search count>10

But than I am loosing the multivalue displaying for the domains. At the moment i cant explain why...

Regards,
Max

Hi hypePG,
if you want to filter the total number of IPs you have to add

| eventstats sum(count) AS Total by host | where Total>X

before the table command.
If instead you want to filter the total number of IPs for each domain you have to add

| where count>X 

after the first stats command.

The logic of my search is the following:

• at first, I count the occurrences for IP and domains;
• I need to insert the eval command because otherwise the order of domain and count fields in the following stats command is different and the only way is to correlate them with eval command;
• after I can show all the domains values for each IP;
• using rex command, I can extract the count value;
• so I can show results.

I hope to be as possible clear!

Bye.
Giuseppe

Hey Giuseppe,

this works just fine! I had some trouble understanding your steps, but finally i worked it out.

Thanks alot.

Regards