I have this search of events:
eventtype=cisco-firewall src_ip="*" (dest_ip="192.168.1.2" OR dest_ip="192.168.2.2" OR dest_ip="10.10.1.1" )
For each src_ip, I'd like to list the dest_ip and the count of src_ip so it'd like look
src_ip | dest_ip | count
212.123.123.123 | 192.168.1.2, 10.10.1.1 | 123
215.123.123.123 | 192.168.1.2, 10.10.1.1 | 55
214.23.23.23 | 192.168.2.2 | 894
211.45.55.55 | 192.168.1.2, 192.168.2.2, 10.10.1.1 | 235
↧