I'm trying to get my current 2 searches into 1. I am trying to get a list of all source and destination ip's based on the same destination port. I have it in 2 searches by doing this on the end of my search:
| stats count by src_ip
second search
| stats count by dest_ip
basically i just need a list of all source ip's and a list of all dest ip's that have the same dest port
any tips or help would be greatly appreciated
i figured it out
| stats values(src_ip),values(dest_ip) by dest_port
Thanks, this helped me resolve a similar question. I was trying to get a list single list of website actions by IP address for a given date, and this helped me figure it out:
| stats values(actions), earliest(datetime) by src_ip
Hi if you need a list of all source ip's and dest
ip's that have the same dest port
try something like:
......|eval src_dest_ip=coalesce(dest_ip,src_ip)|stats values (src_dest_ip)|where ......condition on ip's....
this puts it all into one list i need them in 2 lists one list for src and one list for dest
Hello.
try this:
index=... soucetype=... dest_port=*| stats count by src_ip| stats count by dest_ip| table src_ip dest_ip dest_port
this give 0 results
i didnt think you can do 2 stats commands like that in a row because the second one wouldnt have any results because there is no dest ip to count by from the first stats command
... dest_port=*| table src_ip dest_ip dest_port
yeah i tried that already it shows each src and dest ip paired together
what do you want now?
a list of all source ip's and a list of all destination ip's for any given destination port. the way you have it shows each ip talking together i dont need that. I just need a list of the ip's not whats talking to what.
for example, if you've number of port 8000, you want something like this?
dest_port=8000| table src_ip dest_ip dest_port
no so if you do that it lists out multiple results if there are any. for example if there are 10 src ip's that are 1.1.1.1 it list that 10 times. same with dest ip's. so i guess i need unique source ip's and unique dest ip's. sorry i should have put unique values in my question.
Ok now i understand you better. Use de commande dedup to have unique values. Try this:
dest_port=8000| dedup src_ip | dedup dest_ip | table src_ip dest_ip dest_port
yep already tried that one too. It cuts out some of the ip's for some reason. So like if i run my 2 separate searches i get 9 total src ip's and 20 total dest ip's. i run this and its only giving me 8 of each. so 1 src ip and 12 dest ip's disappeared.
i thought i had it with
| dedup src_ip | stats list(src_ip), list(dest_ip) by dest_port
but its still showing multiple of the same dest ip's
try this
|transaction dest_port|table dest_port, src_ip, dest_ip
that's still grouping them together somehow. Its making multiple rows with not all the same results in each row