|
Consider log entries such as the following: 20110605.132223 CONNECT misc.data 10.10.10.2 ID=12345 So, this is a transaction, but notice that only the CONNECT event has the IP. I can't group on the ID value as it is not unique across log files. So I am using transaction to group the record based on a time range AND the ID. Now, there may be matches that include other IP addresses. This is because a transaction might be between 2 or more servers. So, post transaction, the resulting record from the search may have other IP's in it. Ultimately, the purpose of the report is to count the various transaction types (CONNECT, ADD, ETC) by IP, but I only want to include 4 specific IP's in the results. So, my chart will ultimately have only 4 IP's on it. How can I tell chart to only include the ip addresses that I specify using OR. |
|
Is the ID unique within a log file? If so, the following should work... I'd break this into 2 steps: First, associate an IP address with a source + ID combination This will give you a table output; notice that transtype will be a list of the various transaction types that appear in the transaction. Also note that we pick up only the first IP address that appears in the transaction. Our next task is to break this back into separate events, so we can count them... Count the number of each transaction types by IP - add this to the end of the previous search The full picture I hope this is what you wanted! Let me know if it doesn't work for you. |
Are you saying that you could have a line in the middle of those 4 that says "... CONNECT misc.data 10.10.10.50 ID=12345"?
Yes Precisely. Because 10.10.10.2 might be connecting to 10.10.10.50. I only care about 10.10.10.2 thought so I want to chart on it alone and not records for .50.