![]() That will return a single field called "search", with a value that looks like this. your first query | stats count by dest | fields dest | rename dest as dns_name | format I looked at sub-search but it didn't work me or I couldn't do this.įirst, run this so you understand what is going on. Is there any way to do that something like that? These two query are completely different query. The result above shows that some of query result return NULL, some of them return multiple values like 45.45.45.45 some of them only return one value. Index=dnslogs sourcetype=ptr_data dns_name="x.x.x.x" | stats values(query)Īnd my expected results should look something like that: -dest-DNS Value. X.x.x.x is should be replaced by these ip addresses for each iteration What I mean is I need to run every IP address in this query and then merge the results. ![]() I'm also running a different query to make DNS ptr record check of a given ip address something like that: index=dnslogs sourcetype=ptr_data dns_name="1.2.3.4" | stats values(query)Īnd it returns something like that: -DNS Value-ĪFTER my first query return this one column result, I want to iterate every value of the each raw into my next query to look for DNS ptr records and then merge the result of queries. Which means the user access the IP addresses listed above (last 15 minutes for example) I'm running a query which returns destination ip address of external traffic of a user in one column something like that: -dest. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |