Hi,
I am challenging myself to solve a problem which came up last week.
The idea is to first make a set diff between two different time frames which result to an IP table, and then take all those IPs and count how many times they appeared in a much larger time frame.
I have "set diff" working for now, giving me the IP table with the uncommon IPs correctly. What I can't think of, is how/where to feed this table.
| set diff [search source=*Host_Enumeration* earliest=-14d@d latest=-8d@d | stats count by dest_ip |sort dest_ip | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now | stats count by dest_ip |sort dest_ip | table dest_ip ] | search earliest=-30d latest=now | stats count(dest_ip) by dest_ip
Above query works till the end of "set diff". Where everything is screwed up is on the search.
I am not sure if this is very easy or not, but if you could give me a hint or whatever, I would be grateful.
Regards,
Evang
Try this (assuming, for searching in the longer period, the source remains the same)
source=*Host_Enumeration* earliest=-30d latest=now [| set diff [search source=*Host_Enumeration* earliest=-14d@d latest=-8d@d | stats count by dest_ip |sort dest_ip | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now | stats count by dest_ip |sort dest_ip | table dest_ip ]]
| stats count(dest_ip) by dest_ip
Try this (assuming, for searching in the longer period, the source remains the same)
source=*Host_Enumeration* earliest=-30d latest=now [| set diff [search source=*Host_Enumeration* earliest=-14d@d latest=-8d@d | stats count by dest_ip |sort dest_ip | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now | stats count by dest_ip |sort dest_ip | table dest_ip ]]
| stats count(dest_ip) by dest_ip
Thank you very much somesoni2.
That worked perfectly!
Regards,
Evang