I have the following search that looks for a count of blocked domains per IP:
index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count by src_ip
How would I limit the results to the top 10 IPs and still retain the count of blocked domains per IP? I've tried limit and head commands, but it nullifies the count of blocked domains per IP format.
Thx
I think I figured it out after some fiddling. My query now looks like this:
index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count, sum(count) as total by src_ip
|sort -total | head 10
|fields - total
which retains the format of the count by domain per source IP and only shows the top 10
I think I figured it out after some fiddling. My query now looks like this:
index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count, sum(count) as total by src_ip
|sort -total | head 10
|fields - total
which retains the format of the count by domain per source IP and only shows the top 10
Thanks for this, if i want to see top 10 and all others in others? what will be the search? Can you please help?
Try like this
index=indexname
|stats count by domain,src_ip
|sort -count
| streamstats count as rank by src_ip | where rank<=10
|stats list(domain) as Domain, list(count) as count by src_ip
Update
If you're looking for top 10 src_ip, then try this
index=indexname
| stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count sum(count) as total by src_ip
| sort -total | head 10
Thx for the modified search - retains the format of count of blocked domains per IP, but getting the full list of source IPs (src_ip) and not just the top 10.
Hello
Have you tried something like:
| top 10 src_ip
For example:
index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count by src_ip
| top 10 src_ip
I have, but the count for the top 10 hosts all equal 1.
Doing |top 10 Domain by src_ip provides the same output of the count equaling 1.
Thx