Consider log entries such as the following:
20110605.132223 CONNECT misc.data 10.10.10.2 ID=12345
20110605.132298 ADD misc.data ID=12345
20110605.132298 MOD misc.data ID=12345
20110605.132298 DISCONNECT misc.data ID=12345
So, this is a transaction, but notice that only the CONNECT event has the IP. I can't group
on the ID value as it is not unique across log files. So I am using transaction to group the record
based on a time range AND the ID.
Now, there may be matches that include other IP addresses. This is because a transaction might be between 2 or more servers. So, post transaction, the resulting record from the search may have other IP's in it.
Ultimately, the purpose of the report is to count the various transaction types (CONNECT, ADD, ETC) by IP, but I only want to include 4 specific IP's in the results. So, my chart will ultimately have only 4 IP's on it.
How can I tell chart to only include the ip addresses that I specify using OR.
Is the ID unique within a log file? If so, the following should work...
Assume that the ip address is extracted into a field named IP and that the transaction type is extracted as a field named transtype.
I'd break this into 2 steps: First, associate an IP address with a source + ID combination
sourcetype=yoursourcetype | transaction source, ID mvlist=true | eval reportIP = mvindex(IP,1) | table source, ID, reportIP, transtype
This will give you a table output; notice that transtype will be a list of the various transaction types that appear in the transaction. Also note that we pick up only the first IP address that appears in the transaction. Our next task is to break this back into separate events, so we can count them...
Count the number of each transaction types by IP - add this to the end of the previous search
| mvexpand transtype | stats count by reportIP, transtype
The full picture
sourcetype=yoursourcetype | transaction source, ID mvlist=true | eval reportIP = mvindex(IP,1) | table source, ID, reportIP, transtype | mvexpand transtype | stats count by reportIP, transtype
I hope this is what you wanted! Let me know if it doesn't work for you.