I am trying to create a bubble chart (this is not very much documented, hopefully this example will help) for a 2D distribution.
I have a set of data (IP addresses) and I would like to count the amount of "pairs" for a given time (ie. the IP addresses talking to each other). My search correctly extracts
dst (the pair of IP addresses) and I want to build a matrix:
src1 dst1 nr1 src2 dst1 nr2 src3 dst1 nr3 src2 dst1 nr4 src2 dst2 nr5 ...
I know that my search should end up with
... | table src, dst, nr-something, I just do not know how to extract
Exactly what I was looking for - thanks. I have a hard time understanding the philosophy of the search syntax (but I will get over that one day :))
What are you really asking for?
1) How to count the source/destination pairs
2) How to extract nr-something?
Please provide us with some sample data.
If you just want to count the source / destination pairs without putting the count sums into various buckets, go with imrago's answer.
If you need to group the source / destination pairs by a 1 hour timeslot - you might want to try:
... | eval SrcDestPair = src + " " + dest | timechart span=1h count by SrcDestPair
It was the first one (how to count). Both answers are exactly what I was looking for but I should have not used the word "extract" in my last sentence (and replace it by "count").