Hello,
I am trying to create a bubble chart (this is not very much documented, hopefully this example will help) for a 2D distribution.
I have a set of data (IP addresses) and I would like to count the amount of "pairs" for a given time (ie. the IP addresses talking to each other). My search correctly extracts src
and dst
(the pair of IP addresses) and I want to build a matrix:
src1 dst1 nr1
src2 dst1 nr2
src3 dst1 nr3
src2 dst1 nr4
src2 dst2 nr5
...
I know that my search should end up with ... | table src, dst, nr-something
, I just do not know how to extract nr-something
.
Thanks!
It was the first one (how to count). Both answers are exactly what I was looking for but I should have not used the word "extract" in my last sentence (and replace it by "count").
If you just want to count the source / destination pairs without putting the count sums into various buckets, go with imrago's answer.
If you need to group the source / destination pairs by a 1 hour timeslot - you might want to try:
... | eval SrcDestPair = src + " " + dest | timechart span=1h count by SrcDestPair
Thank you. I cannot put two "best answers" but I upvoted yours 🙂
What are you really asking for?
1) How to count the source/destination pairs
OR
2) How to extract nr-something?
Please provide us with some sample data.
... | stats count by scr,dst
Exactly what I was looking for - thanks. I have a hard time understanding the philosophy of the search syntax (but I will get over that one day :))