I need to create a search that counts IPs which return events for two different fields in the same index. Search 1 will not contain field1=ABC when Search 2 contains field2=123
Search 1:
index=weblogs field1=ABC
Search 2:
index=weblogs field2=123
If I understand the question correctly, this may get you started.
index=weblogs (field1=ABC OR field2=123)
| stats dc(IP)
I think this will count if the IP has returned one of these fields, but I need to determine the number of unique IPs that have hit both of these fields.
You'll want this then
index=weblogs (field1=ABC OR field2=123)
| stats dc(field) as fieldOccurrence by IP
| where fieldOccurrence=2
This is counting how many fields there are by IP and then filtering out only those with both field occurrences.
Hope this helps.
Thank you for the response!
I may not be explaining this quite well, but I'll try to be a little more specific for this scenario-
I need to determine in the web logs how many unique IPs have hit a specific URL (field1=ABC) and also have visited a URL that generates a certain value in field2.
field1=ABC will not be present in the same log where field2=123. These logs are in the same index and sourcetype.
index=weblogs (field1=ABC OR field2=123)
| eval state=case(field1="ABC","field1",field2="123","field2")
| stats count(eval(state="field1")) as field1_count count(eval(state="field2")) as field2_count by IP
Your sample is wrong, can you fix it into an actual query?