So, this is a transaction, but notice that only the CONNECT event has the IP. I can't group
on the ID value as it is not unique across log files. So I am using transaction to group the record
based on a time range AND the ID.
Now, there may be matches that include other IP addresses. This is because a transaction might be between 2 or more servers. So, post transaction, the resulting record from the search may have other IP's in it.
Ultimately, the purpose of the report is to count the various transaction types (CONNECT, ADD, ETC) by IP, but I only want to include 4 specific IP's in the results. So, my chart will ultimately have only 4 IP's on it.
How can I tell chart to only include the ip addresses that I specify using OR.
This will give you a table output; notice that transtype will be a list of the various transaction types that appear in the transaction. Also note that we pick up only the first IP address that appears in the transaction. Our next task is to break this back into separate events, so we can count them...
Count the number of each transaction types by IP - add this to the end of the previous search
| mvexpand transtype | stats count by reportIP, transtype