I've been playing around with eval, transaction, and stats and I still can't figure this one out... so I'm asking for help. This is a search for an IDS system and what I'm trying to do is to list the the number of total hits by src_ip and signature. This is an example of what I've tried:
sourcetype="IDS" | transaction src_ip signature | table src_ip signature hit_count | sort -hit_count
These are the results that I'm getting (the hit counts are not totaled up):
src_ip signature hit_count 188.8.131.52 attack-A 100 200 200 184.108.40.206 attack-B 100 100 100 220.127.116.11 attack-B 50 50 18.104.22.168 attack-C 20 30 22.214.171.124 attack-X 8 2 126.96.36.199 attack-A 3 2
And these are the results that I'm looking for:
src_ip signature hit_count 188.8.131.52 attack-A 500 184.108.40.206 attack-B 300 220.127.116.11 attack-B 100 18.104.22.168 attack-C 50 22.214.171.124 attack-X 10 126.96.36.199 attack-A 5
Does anyone know how to do this? Thanks.
Perhaps something like this?
sourcetype="IDS" | transaction src_ip signature | stats sum(hit_count) by src_ip as hits | table src_ip signature hits | sort -hits
Hi, thanks for the suggestion but when I just tried it, it returned no results- 151 matching events & no matching fields exist.
Try '... | stats sum(hitcount) by srcip,signature as hits | ...'
You have to rename the statistic before you group by srcip. Also, if you want the "signature" field in your table, you'll have to group by that field as well:
... | stats sum(hitcount) as hits by src_ip signature | table ...