sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp." " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total." " | sort - Total | rename Dest_Host AS Source
Tried a subsearch but, no joy-
sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp." " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total." " | sort - Total | rename Dest_Host AS Source | search | stats count by Source, Total | where count >100
If your first search works, then this should do it:
sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp." " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval count=Total | eval Total = Total." " | sort - Total | rename Dest_Host AS Source | where count>100 | fields - count
BTW, this is not called a subsearch
, and it confused the question very much that you used that term. I suppose this might be called a postsearch
...?
If your first search works, then this should do it:
sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp." " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval count=Total | eval Total = Total." " | sort - Total | rename Dest_Host AS Source | where count>100 | fields - count
BTW, this is not called a subsearch
, and it confused the question very much that you used that term. I suppose this might be called a postsearch
...?
That works thanks!!
Sorry if this seems confusing. really what I need is to only show events that are greater than 100 in the total column.
that is actually two separate searches, It all got mushed together when I posted 🙂
the output looks like this:
Source-----------------------Destination-----------------------------subtotal----------------Total
1.1.1.1 2.2.2.2 3 5
3.3.3.3 2
Again I posted 2 seperate searches to show what I have tried, I dont run BOTH searches