I also summarize as you but some times I had to scratch my head to use particular commands. You just used values command to solve this problem. Anyways, thank you so much. ... View more

Wow, this is what i expected. But I have one more doubt, How can i know, which command I have to use for a particular situation? I am confused with the search commands. If you know any references to learn more about it, please suggest me. Thank you so much ... View more

Thank you for your answer. I did some changes to get minimum solution. Two changes I did. 1. Distinct count w.r.t clientip 2. Which is done in the last eval search, replaced with count instead of sum_status then it works fine. index=_internal clientip=* status=* | stats dc(clientip) by clientip status | eval dc_200=case(status="200", 1, 1=1, 0), dc_404=case(status="404", 1, 1=1, 0) | stats dc(eval(dc_200 + dc_404)) AS sum_status count by clientip | eval frequent=case(count="2", "common", count="1", "uncommon", 1=1, "unknown") But i need to represent uncommon ip_addresses with status value. ... View more

Thank you so much for your answer. This one is listing common and uncommon ip_addresses. Though, It's not full solution, i wanted to list uncommon values with status values. ... View more

Yeah, I tried the above searches, Those are not what i am looking exactly. I want to list all common/uncommon ip_addresses in a single search Because my data has 100+ ip_addresses. ... View more

This command is works fine, but it's listing only 50,000 statistics of append search. I want to list all common ip_addresses and also want to list uncommon ip_addresses w.r.t status=200 and status=400 ... View more