Alright this may seem like a trivial question for some of you Splunkers. I'm new at this:
I'm trying to get the results of a top (n) inside_port for multiple inside_ip.
search string:
inside_ip=xxx.xxx.223.221 OR inside_ip=xxx.xxx.220.224 | top 5 inside_port
results returned:
inside_ip | inside_port | count | percent
223.221 | 22,80,443 | 6,3,1 | 60,30,10
220.224 | 443,3389,22 | 12,6,2 | 60,30,10
or alternative results:
inside_ip | inside_port | count | percent
223.221 | 22 | 6 | 60
223.221 | 80 | 3 | 30
... View more