I am trying to find the top 5 UrlDestHosts per IP address for the top 25 ip addresses. I have a search which returns the raw information required:
source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | stats count by c_ip, UrlDestHost | stats list(UrlDestHost) list(count) by c_ip
How do I add top parameters, say the top X c_ip entries (based on count) and the top Y UrlDestHosts (based on the count per value of X)?
I think you might have to resort to a subsearch for this (indented for readability);
source="windows_snare_foreweb" cs_network="Internal" action="Allowed"
[search source="windows_snare_foreweb" cs_network="Internal" action="Allowed"
| top 25 c_ip
| fields + c_ip
]
| top 5 UrlDestHost by c_ip
The subsearch will just find (and return) the 25 most common c_ip
, which are added to the outer search (as c_ip1 OR c_ip2 OR c_ip3
...). The result is then piped to top
.
Hope this helps,
Kristian
index=* sourcetype=iis | top 1 _raw by index
I think you might have to resort to a subsearch for this (indented for readability);
source="windows_snare_foreweb" cs_network="Internal" action="Allowed"
[search source="windows_snare_foreweb" cs_network="Internal" action="Allowed"
| top 25 c_ip
| fields + c_ip
]
| top 5 UrlDestHost by c_ip
The subsearch will just find (and return) the 25 most common c_ip
, which are added to the outer search (as c_ip1 OR c_ip2 OR c_ip3
...). The result is then piped to top
.
Hope this helps,
Kristian
I think the quickest way to answer the first part of your question is:
source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top limit=5 UrlDestHost by c_ip
You can change the limit parameter to be whatever you want; default is 10 if you remove it from the search. One of the fields returned will be percent which will probably play with your mind a bit or anyone you might show the results to so I would get rid of it. It probably also makes sense to group by c_ip. I'd probably format the query like this:
source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top limit=5 UrlDestHost by c_ip | sort c_ip, -count | fields - percent
This will sort the IPs in ascending order, the counts in descending order, and remove the percent fields. Otherwise you could leave the query as is and use a combination of sort and head to get top results. You are also using list(). In this or other use cases use cases you might try values() which will dedup and order the results.
I can't quite tell if below your code snippet if you are asking a variation of your first question. At any rate I hope some of this helps.
You want to use the top search command in place of the first stats command. Top does the count similarly to stats (also percentage)
... | top 5 UrlDestHost by c_ip | ...
All together it looks like
source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top UrlDestHost by c_ip | stats list(UrlDestHost) list(count) by c_ip
Top is just counting events. It can count them in categories using the "by" indication.
Perhaps you can give an example of what your output would look like?
This is close but it only limits on the Y value. For example I'm only interested in the top c_ip entries (those with the highest count of events).