enter image description heresourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time |chart max(value) count by _time FROM_IP limit=0

- 9
- 6
2 Answers
You can use where
or search
to filter the data to what you need.
sourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time |chart count by _time FROM_IP limit=0 | where count > 30000 AND count < 30000

- 2,631
- 2
- 7
- 15
-
Problem here is the output it gives is count of connection on each ip w.r.t to days .so count > 30000 is not working for no. of connection – Misrty vib Feb 01 '20 at 08:29
-
I have attached the output pic , if I use count > .... then there is no result – Misrty vib Feb 01 '20 at 08:47
You can use stats
command instead of chart
. That will give you a count column
sourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time | stats count by _time FROM_IP | where count > 30000 AND count < 30000

- 2,631
- 2
- 7
- 15