I currently have this to group IPs into subnets and list the counts, I want it to also show the IP it has listed aswell | rex field=SourceIP "(?<Subnet>\d+\.\d+\.\d+\.*)" example Subnet    Count   IPs 1.1.1       20            1.1.1.1, 1.1.1.2,1.1.1.3  How do I create another field or use the existing field to show what it has grouped? ... View more

Hi all  Trying to work on something which currently shows a bunch of IP hits and counts against it, the current output is the last 2 hours Query: index=source sourcetype="source"  | stats count values(Hostname) by SourceIP | sort by -count | rename "count" to "Total count", "values(Hostname)" to "Hosts" Output: IP                                              Count 100.100.100.100               5 I want to add a new column called "Last30days" that looks at the IP address found in column 1 and a count search for the last 30 days, so like above but another column for the last 30days, final output below. IP                                              Count                 Last30days 100.100.100.100               1                          10 tried various variaitions but can't get it to work ... View more