需要 table o/p 每个 FROM_IP 其相关的 uid
Need table o/p with each FROM_IP its related uid
index=name conn "connection from"
[search index=name
[| inputlookup UIDlist.csv
|rename UID AS uid
| fields uid ]
"BIND"
| fields conn ]
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"
| stats count by FROM_IP
tst.csv 文件包含 UID 列表,因此它可以为一个用户提供 o/p,然后为其他用户提供 o/p,依此类推...
我想要 table FROM_IP 和 uid
O/p 上面使用的两个查询:
index=name BIND uid | fields conn
[10/Nov/2020:06:38:40 +0000] conn=111111 op=4238 msgId=4239 - BIND dn="uid=uid,ou=xxx,o=xxxx,o=电子邮件”方法=128 版本=3
index=name conn "connection from" | rex field=_raw "connection from
(?<FROM_IP>\d+.\d+.\d+.\d+):" | stats count by FROM_IP
[09/Nov/2020:22:52:55 -0800] conn=1111111 op=-1 msgId=-1 - fd=115 slot=115 xxxx connection from xx.xx.xx.xx.xx to xx.xx.xx.xx.xx
试试这个查询。它不像您的原始查询那样高效,因为它会读取更多行,但有时也无济于事。
我们首先读取连接和 BIND 事件,然后使用 stats 将它们放在一起。然后我们过滤掉那些不在查找文件中的。
index=name conn ("connection from" OR "BIND")
| stats values(*) as * by conn
| search [| inputlookup UIDlist.csv
|rename UID AS uid
| return $uid ]
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"
| rex field=dn "uid=(?<uid>[^,]+)"
| stats count by FROM_IP, uid
index=name conn "connection from"
[search index=name
[| inputlookup UIDlist.csv
|rename UID AS uid
| fields uid ]
"BIND"
| fields conn ]
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"
| stats count by FROM_IP
tst.csv 文件包含 UID 列表,因此它可以为一个用户提供 o/p,然后为其他用户提供 o/p,依此类推...
我想要 table FROM_IP 和 uid
O/p 上面使用的两个查询:
index=name BIND uid | fields conn
[10/Nov/2020:06:38:40 +0000] conn=111111 op=4238 msgId=4239 - BIND dn="uid=uid,ou=xxx,o=xxxx,o=电子邮件”方法=128 版本=3
index=name conn "connection from" | rex field=_raw "connection from (?<FROM_IP>\d+.\d+.\d+.\d+):" | stats count by FROM_IP
[09/Nov/2020:22:52:55 -0800] conn=1111111 op=-1 msgId=-1 - fd=115 slot=115 xxxx connection from xx.xx.xx.xx.xx to xx.xx.xx.xx.xx
试试这个查询。它不像您的原始查询那样高效,因为它会读取更多行,但有时也无济于事。
我们首先读取连接和 BIND 事件,然后使用 stats 将它们放在一起。然后我们过滤掉那些不在查找文件中的。
index=name conn ("connection from" OR "BIND")
| stats values(*) as * by conn
| search [| inputlookup UIDlist.csv
|rename UID AS uid
| return $uid ]
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"
| rex field=dn "uid=(?<uid>[^,]+)"
| stats count by FROM_IP, uid