List of unique sourceHosts in a sourceCategory

Follow
Avatar
David Day

I am trying to get a list of IP addresses that are reporting to a particular sourceCategory.   I have tried several options and the best I can come up with is:

_sourceCategory=prod/network
| count_frequent(_sourceHost)

However, I don't need the count of messages and that is extremely taxing on the server but I have not found another way to get the list of sourceHosts.

Thanks.

 

0

Comments

2 comments

Sort by Date Votes
  • Official comment
    Avatar
    Graham Watts

    Hey David,


    Can you try this query and let us know if this is what you're trying to see?

    _sourceCategory=prod/network
    | count by _sourceHost // assuming these are the source IPs
    | count by _sourceHost

    This is a trick to get a similar output of the count_distinct operator but is a bit faster.

    Comment actions Permalink
  • Avatar
    David Day

    Graham,

         Thanks.  That was exactly what I was looking for.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post