如何解决需要具有每个FROM_IP及其相关uid的表o / p
index=name conn "connection from"
[search index=name
[| inputlookup UIDlist.csv
|rename UID AS uid
| fields uid ]
"BIND"
| fields conn ]
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"
| stats count by FROM_IP
tst.csv
文件具有UID列表,因此它可以为一个用户然后为另一个用户提供o / p,依此类推...
我想要表FROM_IP与哪个uid
上面使用的两个查询的O / p:
index = name BIND uid |字段conn
[10 / Nov / 2020:06:38:40 +0000] conn = 111111 op = 4238 msgId = 4239-绑定dn =“ uid = uid,ou = xxx,o = xxxx,o = email”方法= 128版本= 3
index = name conn“连接来自” | rex field = _raw“连接来自 (?
进行计数\ d +。\ d +。\ d +。\ d +):“ |统计信息按FROM_IP
[09 / Nov / 2020:22:52:55 -0800] conn = 1111111 op = -1 msgId = -1-fd = 115 slot = 115 xxxx从xx.xx.xx.xx.xx到xx的连接.xx.xx.xx.xx
解决方法
尝试此查询。由于它读取更多行,因此效率不如您的原始查询,但有时无济于事。
我们先读取连接和BIND事件,然后使用stats
将它们放在一起。然后我们过滤掉不在查找文件中的那些文件。
index=name conn ("connection from" OR "BIND")
| stats values(*) as * by conn
| search [| inputlookup UIDlist.csv
|rename UID AS uid
| return $uid ]
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"
| rex field=dn "uid=(?<uid>[^,]+)"
| stats count by FROM_IP,uid
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。