Drill down search command to aggregate stats list(...

hjwang · ‎06-03-2011

dear all

i have logs including fields src-ip,hit-count,attack-dst-ip, and etc.
if i wanna show results table as follows

src-ip, src-ip-city, sum(hit-count), seperate attack-dst-ip, seperate sum(hit-count) by attack-dst-ip

 1.1.1.1 Los Angles, 10, 5.5.5.5, 2
                         6.6.6.6, 3
                         7.7.7.7, 5

here src_ip may have different attack-dst-ip and its corrensponding sum of hit-count,
how can i do this?

i use following search

host="xxx" | fields * | geoip src-ip | where src-ip_countryname="xxx" | stats sum(hit-count), values(dst-ip), list(hit-count) by src-ip, src-ip-city

but list command will list all values rather than sum(hit-count) by previous attack-dst-ip,any good suggestions?thanks a lot.

mkashif · ‎06-03-2011

Use stats count by (src_ip)

hjwang · ‎06-03-2011

i think you might missunderstand what i mean. anyway,thanks

Drill down search command to aggregate stats list() count?