I am trying to search for events that contain one IP from each of the two groups of IP addresses. For instance: index=main sourcetype=* | search ("10.10.10.10" OR "30.30.30.30" OR "50.50.50.50" OR "70.70.70.70" OR "90.90.90.90") AND ("20.20.20.20" OR "40.40.40.40" OR "60.60.60.60" OR "80.80.80.80") I am not specifying the source type or fields because I also want to search through multiple source types. I couldn't find an answer similar to this issue. I also looked at subsearches, but didn't see how they would solve this. ... View more

I use the following search to show a pie chart of the top 5 IPs connecting to the network: sourcetype="conn_log" | chart count by Orig_IP | sort -count | head 5 I also use the following search to look up a specific IP (for example, 8.8.8.8) on all logs, exclude instances where the IP doesn't exist, then view it on a bar graph: 8.8.8.8 | timechart span=1h count by sourcetype | addtotals | search Total > 0 Ideally, I want to combine these 2 strings to have the first string fill in the IP criteria for the second string, making a bar graph for each of the top 5 IPs. But if this can't be done, is there a way to make 5 individual search strings to display bar graphs for each of the top 5 IPs? ... View more