Hello, I'm trying to compose search, that will show me srcIP, dstIP, count by dstIP like this:
srcIP dstIP count
1.1.1.1 2.2.2.2 15
2.2.2.3 10
2.3.4.3 10
5.5.5.5 6.6.6.6 8
7.7.7.7 8
I used like this status="failure" | stats count(dst) by src, dst, but I was unable to get distinct value of srcIP. Could you please advise me how to do that? Thanx in advance.
There are a couple of ways to do this. Easiest:
status=failure | stats count by src, dst
It repeats the source IP on each line, though. This may also work:
status=failure
| stats count by src, dst
| stats list(dst) as dstIP list(count) as count by src
| rename src as srcIP
This may look more like what you want. However, this version will not export in a useful way.
There are a couple of ways to do this. Easiest:
status=failure | stats count by src, dst
It repeats the source IP on each line, though. This may also work:
status=failure
| stats count by src, dst
| stats list(dst) as dstIP list(count) as count by src
| rename src as srcIP
This may look more like what you want. However, this version will not export in a useful way.
Appreciate for your perfect answer.
It works and much helpful to me.
Nice day.