=NULL| convert timeformat="%Y-%m-%d"ctime(_time) ASdate| stats count as date_count bydate,port|stats median(date_count) as median_count max(date_count) as max_count avg(date_count) as avg_count by dport|eval avg_deviation=max_count/avg_count|eval median_deviation=max_count/median_co...
index=main source=*access* | join type=left clientip [search index=main source=*access* | top 10 clientip showperc=f | streamstats count as rank ] | eval clientip=if(rank>=1, clientip, "others"), rank=coalesce(rank, 11) | stats count by clientip, rank | sort by rank | table...
=NULL| convert timeformat="%Y-%m-%d"ctime(_time) ASdate| stats count as date_count bydate,port|stats median(date_count) as median_count max(date_count) as max_count avg(date_count) as avg_count by dport|eval avg_deviation=max_count/avg_count|eval median_deviation=max_count/median_co...
| eval message=if(match(_raw, "INCLUDE") and isnotnull(src_ip), "traces of exploitation by " . src_ip, "false") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time|...
sourcetype=log4j ERROR earliest=-7d@d latest=@d | eval warns=errorGroup+"-"+errorNum | stats count as Date_Warns_Count by date_mday,warns | stats stdev(Date_Warns_Count), var(Date_Warns_Count) by warns This search returns errors from the last 7 days and creates the new field, warns...
mincount数值, 分桶最小数量,小于该数量的值将不显示 stats-datehistogram 命令格式: date_histogram(field,interval,format='{format}',time_zone='{tz}',mincount={mincount}}) index=bankdata* | stats count(TranSeqNo) as tran_count by date_histogram(@timestamp,hour,mincount=0) ...
| eval ASD = strptime(ARTStartDate, "%m/%d/%Y")| where strptime('10/1/2021', "%m/%d/%Y") < ASD AND ASD < strptime('5/27/2022', "%m/%d/%Y")| stats count(ASD) as "Tx_new" by FacilityName i used the above code as directed, still no result, is there a way i can eval...
sourcetype="secure*"action="Accepted"| bin _time span=1d | stats count(user) by ip| rename count(user)asUser_count | search User_count>10 3.5 异常登录时间 场景描述:定义正常的服务器登录时间,如在正常时间范围之外登录,可提示告警。 安全策略:凌晨0点到早上8点内,登录成功的账号。
sourcetype="secure*" AND "failed password" | stats count by ip | sort 10 -count 1. 3.3 用户异地登录 场景描述:用户在短时间内多次异地登录,即可视为账号异常。 安全策略:1天内超过3个城市登录即可视为异地登录异常。 复制 sourcetype="secure*" action="Accepted"| bin _time span=1d |iplocation ip...
sourcetype="secure*" AND "failed password" | stats count by ip | sort 10 -count 3.3 用户异地登录 场景描述:用户在短时间内多次异地登录,即可视为账号异常。 安全策略:1天内超过3个城市登录即可视为异地登录异常。 sourcetype="secure*" action="Accepted"| bin _time span=1d |iplocation ip | stats...