We have WEB logs, and we need to isolate the source IPs that only (only) hit two URLs.
The fields are:
src for source IP
uri_path for hit URL
Then this should do it:
<base search> | stats values(uri_path) as uri_path by src | where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard")) | stats count by src
You can substitute stats with tstats if uri_path is an indexed field. YMMV.
sorry I think I should have explained it better
so we need to get all the IPs that ONLY hit two urls
As this has been detected as an attack pattern
So i need the IPs that hit only these two URLs