How to write a query to find event count of source ip greater than 1000 in 5mins?


#1

How to write a query to find event count of source ip greater than 1000 in 5mins?

Aggregate view should display source Ip and corresponding destination IP’s(with count). I have written query to fetch the source Ip(event count more than 10000) but could not able to display corresponding destination IP’s with count. Threshold 10000 is greater than overall count for the source ip.


#2

Hey there,

Here is a sample query that gives you the count for unique combination of pairs for respective fields. In the below query we get the count for each unique combination of Source IP($SrcIP) and Destination IP($DstIP):

Sample Query:

_fetch * from event where $Duration=6h limit 100
>>_agg count_unique $SrcIP, $DstIP

Output of the above query: