I'm trying to get my current 2 searches into 1. I am trying to get a list of all source and destination ip's based on the same destination port. I have it in 2 searches by doing this on the end of my search:
| stats count by src_ip
| stats count by dest_ip
basically i just need a list of all source ip's and a list of all dest ip's that have the same dest port
any tips or help would be greatly appreciated
Thanks, this helped me resolve a similar question. I was trying to get a list single list of website actions by IP address for a given date, and this helped me figure it out:
| stats values(actions), earliest(datetime) by src_ip
Hi if you need a list of all source ip's and dest
ip's that have the same dest port
try something like:
......|eval src_dest_ip=coalesce(dest_ip,src_ip)|stats values (src_dest_ip)|where ......condition on ip's....
i didnt think you can do 2 stats commands like that in a row because the second one wouldnt have any results because there is no dest ip to count by from the first stats command
a list of all source ip's and a list of all destination ip's for any given destination port. the way you have it shows each ip talking together i dont need that. I just need a list of the ip's not whats talking to what.
no so if you do that it lists out multiple results if there are any. for example if there are 10 src ip's that are 18.104.22.168 it list that 10 times. same with dest ip's. so i guess i need unique source ip's and unique dest ip's. sorry i should have put unique values in my question.
yep already tried that one too. It cuts out some of the ip's for some reason. So like if i run my 2 separate searches i get 9 total src ip's and 20 total dest ip's. i run this and its only giving me 8 of each. so 1 src ip and 12 dest ip's disappeared.