I want to search the logs that have a combination of source and destination IP's.
For e.g, I want to search the logs where the source is any of (a,b,c,d..etc) and destination is any of (1,2,3,4...etc)
Now for fewer cases, my query would be something like this:-
index=x (source=a OR source=b OR source=c) AND (destination=1 OR destination=2 OR destination=3)
Is there any easier way do the above for larger cases, like if i have 10 source and 10 destination, and I want to check for each combination, wiithout importing a CSV or anything, just basic query?
You can use the IN
operator like this:
index=x (source= IN("a", "b", "c") AND (destination IN("1", "2," 3")
You could also exploit 2 lookup
file that have these lines:
source
a
b
c
d
Like this:
index=x AND [|inputlookup source.csv | table source] AND [|inputlookup destination.csv | table destination]
You could also use a macro.
You can use the IN
operator like this:
index=x (source= IN("a", "b", "c") AND (destination IN("1", "2," 3")
You could also exploit 2 lookup
file that have these lines:
source
a
b
c
d
Like this:
index=x AND [|inputlookup source.csv | table source] AND [|inputlookup destination.csv | table destination]
You could also use a macro.
Are either the source or destination of the same subnet? If they are you could do source="10.0.0.*". If not, then you can do the CIDR but that still limits you to a specific range you would just be able to have broader range.