Hi,
I'm trying to create a table of data which draws upon a subsearch and a join in order to have more completely representation of my data.
first, I created a table that shows the TOP 5 Destination IP, Destination IP Country, Destination Port, and Protocol. My search is something like this:
sourcetype="cisco_asa" (host="11.11.11.11" OR host="10.10.10.10" OR host="12.12.12.12" OR host="13.13.13.14") (actual_action="Deny" OR actual_action="Denied" OR actual_action="denied") dest_dom="Outside" | geoip dest_ip | eval protocol=lower(protocol) | top limit=5 dest_ip,dest_ip_country_name,dest_port,protocol
And my result is something like: dest_ip dest_ip_country_name dest_port protocol count percent 1 aaa.aaa.aaa.aaa China 161 udp 336834 10.501823 2 bb.bbb.bbb.bbb United Kingdom 16386 udp 184701 5.758615 3 ccc.ccc.ccc.ccc United Kingdom 3544 udp 182193 5.680420 4 dd.ddd.ddd.ddd United Kingdom 16385 udp 180451 5.626108 5 ee.eee.eee.eee United Kingdom 16384 udp 180332 5.622398
If I drill down, I'll be able to find for each one of my results the TOP Source IP.
What I'm trying to do, is to eliminate to drill down in order to find out what is the Source IP on each result. so my table should look like:
src_ip dest_ip dest_ip_country_name dest_port protocol count percent
1 xxx.xxx.xxx.xxx aaa.aaa.aaa.aaa China 161 udp 336834 10.501823 2 yy.yyy.yyy.yyy bb.bbb.bbb.bbb United Kingdom 16386 udp 184701 5.758615 3 zz.zzz.zzz.zzz ccc.ccc.ccc.ccc United Kingdom 3544 udp 182193 5.680420 4 www.www.www.www dd.ddd.ddd.ddd United Kingdom 16385 udp 180451 5.626108 5 uu.uuu.uuu.uuu ee.eee.eee.eee United Kingdom 16384 udp 180332 5.622398
I've tried changing the join parameters a few times and in a few ways, but I'm missing something about the logic of what I'm doing, so I'm obviously going about it in the wrong way.
I just want to find TOP 5 Destination IP, Destination IP Country, Destination Port, and Protocol., then look for them TOP Source IP for each one, and create a nice table of information...
any Ideas..... I need more coffee....