如何像 arthmemetic 一样放置条件输出,值 o/p 应该大于 = 30k 并且小于 = 30k
How to put conditional output like arthmemetic , value o/p should be greater than = 30k and less that = 30 k
enter image description heresourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" 或 "connection from 10.41.88.198" 或 "connection from 17.208.225.42" 或 "connection from 10.41.92.81" 或 "connection from 10.41.92.237" |雷克斯场=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time |chart max(value) count by _time FROM_IP 限制=0
您可以使用 where 或 search 来过滤您需要的数据。
sourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time |chart count by _time FROM_IP limit=0 | where count > 30000 AND count < 30000
您可以使用 stats 命令代替 chart。那会给你一个计数列
sourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time | stats count by _time FROM_IP | where count > 30000 AND count < 30000
您可以使用 where 或 search 来过滤您需要的数据。
sourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time |chart count by _time FROM_IP limit=0 | where count > 30000 AND count < 30000
您可以使用 stats 命令代替 chart。那会给你一个计数列
sourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time | stats count by _time FROM_IP | where count > 30000 AND count < 30000