How to write a query to find event count of source ip greater than 10000 in 30mins?

Follow
Avatar
Allwin Unknown

How to write a query to find event count of  source ip greater than 10000 in 30mins? Aggregate view should display source Ip and corresponding destination IP's(with count).  I have written query to fetch the  source Ip(event count more than 10000) but could not able to display corresponding destination IP's with count. Threshold 10000 is greater than overall count for the source ip

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Michael Sage

    Hi Allwin,

    How's this going? Can you share a sample log file or some of the output? Using Apache logs with source IP and destination URL as an example, are you looking for something like this?

    _sourceCategory=Labs/Apache/Access
    | parse "] \"GET * HTTP" as url
    | parse "* - - " as src
    | count by src, url | where _count > 10000

    Michael 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post