So I have web logs 🙂 , weblogs contain source IP, destination IP and other info.
I am trying to write a search that will show me all the destination IP's that only a single source IP has requested.
Example is something like more than 100 source IP's connected to Google's IP, however, only a single IP has connected to hxxp://iambad.com .
Any ideas on how to craft this search? I have been trying using:
| stats count(dest_ip) as DEST by src_ip
| DEST = 1
However, this returns any destination IP that has been visited once PER source IP and not all source IPs.
I hope the above makes sense and you can help
I think I understand...
<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1
for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list
I think I understand...
<base search> | stats values(src_ip) as src_ips by dest_ip | where mvcount(src_ips) = 1
for every destination ip, we collect the list of unique source ips that connected to it, and keep only those where there is only 1 source ip in that list
I'm not sure I understand your example very well, but I can tell you that if you want to view all destination IPs that each source IP has requested you will need to perform a stats command and split by src_ip, (e.g. |stats list(dest_ip) by src_ip). As for the particular function you want, I would recommend checking out list or values first as they are most likely what you want.