Hi,
I'm trying to return some results with the AppID that is being searched. My current search does everything I want except return the appID that is being searched. My search and results are below. Any help with constructing the proper search would be greatly appreciated.
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", application as "AppID"
Results:
UniqueSrcIP UniqueDstIP UniqueSrcPort UniqueDstPort ComboIPs Sent Rec AppID
19 22 74 2 40 14545060 534759637
↧