Drill down search command to aggregate stats list() count?


dear all

i have logs including fields src-ip,hit-count,attack-dst-ip, and etc.
if i wanna show results table as follows

src-ip, src-ip-city, sum(hit-count), seperate attack-dst-ip, seperate sum(hit-count) by attack-dst-ip Los Angles, 10,, 2
               , 3
               , 5

here src_ip may have different attack-dst-ip and its corrensponding sum of hit-count,
how can i do this?

i use following search

host="xxx" | fields * | geoip src-ip | where src-ip_countryname="xxx" | stats sum(hit-count), values(dst-ip), list(hit-count) by src-ip, src-ip-city

but list command will list all values rather than sum(hit-count) by previous attack-dst-ip,any good suggestions?thanks a lot.

Use stats count by (src_ip)

i think you might missunderstand what i mean. anyway,thanks

