Hello,
I am trying to do a complex search for almost 500 IP addresses to see which ones are active. My query looks like this:
index=DEVICE | table srcip IP OR IP OR IP and so on.
However; the table with the source iP addresses that I got back has IP address for each event. Is there anyone to get the IP address only once to check if it's active or not? Also, I am not sure if there is any efficient query that I could use instead of all ORs?
I ran this one as well. Thanks.
Like this:
index=DEVICE (src_ip="1.1.1.1" OR src_ip="1.1.1.2" OR src_ip="1.1.1.3" OR ...) | stats count by src_ip
Thank for your reply. How would the query look like if I want to type in the IP addresses instead of using .csv file?
I'm asking for sample data because I don't understand what ... | table srcip IP OR IP OR IP is meant to do. Neither do I know what kind of data you have in your DEVICE index.
Take a few lines of your source file, anonymize sensitive data, and paste it here.
Sample data?
That's my query
index=DEVICE (source device) | table srcip IP OR IP OR IP
I am getting a table with source IP address from each even. I am trying to remove duplicates.
Could you post some sample data?