Hello,
I have a search (see below) that Im having a little trouble with. With it it returns the fields correctly, but its just a lot of ORs (like src_ip=1 OR src_ip=2 OR src_port=1 OR src_port=2). What Im trying to figure out is, how would I write the query so that the inner search would return the fields in groups to the outer search like (src_ip=1 AND src_port=1 AND dst_ip=1 AND dst_port=1). Any thoughts? THANKS!
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| fields src_ip src_port dst_ip dst_port]
How about this
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| fields src_ip src_port dst_ip dst_port | format]
OR
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| stats count by src_ip src_port dst_ip dst_port | fields - count | format]
The question is a little convoluted. Could you clarify if you are looking to eval between the two searches or search the "| fields..." for the entire search string? If it's the latter you can just pull it out of the subsearch.
Hi,
You can easily test what your subsearch is doing by using the format command.
For example, in my case I'm simply looking for events that have all the four fields below and then returning the first two I find. Finally pipe it to format to see what would happen if you were using this in a subsearch:
index=* src_ip=* src_port=* dest_ip=* dest_port=*
| head 2
| fields src_ip src_port dest_ip dest_port
| format
Output:
( ( dest_ip="10.150.2.155" AND dest_port="53" AND src_ip="10.152.205.27" AND src_port="12345" ) OR ( dest_ip="10.150.2.155" AND dest_port="53" AND src_ip="10.152.205.27" AND src_port="12345" ) )
Which basically means: "Fields from event 1 joined with AND" OR "Fields from event 2 joined with AND"
Let me know if that helps.
Thanks,
J
EDIT: didn't notice the answer from somesoni above but that should give you what you are looking for
How about this
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| fields src_ip src_port dst_ip dst_port | format]
OR
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| stats count by src_ip src_port dst_ip dst_port | fields - count | format]
that worked, thanks a bunch!