How do I filter only IPs that have multiple Attack Names associated with them? Here is the search string so far; however, we are unable to filter out the values of 1:
sourcetype="mcafee:ids" | stats dc(Attack_Name) by SIP
How do I return results by SIP where Attack_Names are greater than 1?
Is this?
sourcetype="mcafee:ids" | stats dc(Attack_Name) as count by SIP| search count>1
Is this?
sourcetype="mcafee:ids" | stats dc(Attack_Name) as count by SIP| search count>1
Yes it worked. Thank you