Hello guys,
I am trying to perform simple search, but with no success right now.
Here's my sample search, just changed the name of the columns for the sake of security:
1)index=myindex source="where_we_search.log" "URL Query" | stats count by IP_Address | search count >20
Now, 1) produces output of the type:
IP_Address Count
1.1.1.1 30
2.2.2.2 40
What I want to achieve is, for every IP in IP_Address column, search for count of Field2 (existing), like so, not working :
2)index=myindex source="where_we_search.log" "URL Query" | stats count by IP_Address | search count >20 | rename IP_Address as IPA | stats count(IPA) by "Field2"
IF I split the search in two, it passes, but I want to automate.
Help ?
Why not like this...
index=myindex source="where_we_search.log" "URL Query" field2=* | stats count by IP_Address, field2 | eventstats sum(count) as Total by IP_Address | search Total >20
Hello all,
After a couple of hours of searching, google provided the best idea.
Now here's the result:
index=myindex source="where_we_search.log" "URL Query" field2=* | stats count by IP_Address| search count > 20 | map maxsearches=5 search="index=myindex source="where_we_search.log" IP_Address=$IP_Address$ | stats count by field2 "
Thanks for your time. Now I need to figure how to output the results of the two searches into a table/csv.
Kind regards,