Need table o/p with each FROM_IP its related uid

Question

index=name conn "connection from"  
    [search index=name 
        [| inputlookup UIDlist.csv 
        |rename UID AS uid
        | fields uid ]
    "BIND"  
   | fields conn ]  
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"  
| stats count by FROM_IP

tst.csv file has list of UID so that it can give o/p for one user then other and so on ...
I want the table FROM_IP with which uid

O/p of two query used above :

index=name BIND uid | fields conn

[10/Nov/2020:06:38:40 +0000] conn=111111 op=4238 msgId=4239 - BIND dn="uid=uid,ou=xxx,o=xxxx,o=email" method=128 version=3

index=name conn "connection from" | rex field=_raw "connection from (?<FROM_IP>\d+.\d+.\d+.\d+):" | stats count by FROM_IP

[09/Nov/2020:22:52:55 -0800] conn=1111111 op=-1 msgId=-1 - fd=115 slot=115 xxxx connection from xx.xx.xx.xx.xx to xx.xx.xx.xx.xx

What is "o/p"? Please elaborate on the problem, including the form of the data and the expected results. — RichG, Nov 03 '20 at 13:22
O/p is in table formate : FROM_IP. and Count so I need uid for corresponding FROM_IP — Misrty vib, Nov 05 '20 at 11:08
The uid is not available because it was discarded by the `fields conn` command in the subsearch. — RichG, Nov 05 '20 at 14:39
Since I don't understand your data I can't offer a reasonable alternative query. — RichG, Nov 09 '20 at 18:19
I have added o/p of two separate query used ... can some one help here — Misrty vib, Nov 10 '20 at 06:58

score 0 · Accepted Answer · answered Nov 10 '20 at 14:51

0

Try this query. It's not as efficient as your original query since it reads more rows, but sometimes it can't be helped. We start by reading both connection and BIND events then putting them together using stats. Then we filter out those not in the lookup file.

index=name conn ("connection from" OR "BIND")
| stats values(*) as * by conn
| search [| inputlookup UIDlist.csv 
        |rename UID AS uid
        | return $uid ]
| rex field=_raw "connection from (?<FROM_IP>\d+\.\d+\.\d+\.\d+):"
| rex field=dn "uid=(?<uid>[^,]+)"
| stats count by FROM_IP, uid

answered Nov 10 '20 at 14:51

RichG

4,202
1
12
23

This is giving events but no o/p for statistics – Misrty vib Nov 11 '20 at 02:32
Also if possible instead of uid if ‘dn’ value is given out that will also be fine. – Misrty vib Nov 11 '20 at 02:35
To use dn instead of uid, remove the second `rex` command and replace 'uid' with 'dn' in the second `stats` command. – RichG Nov 11 '20 at 12:24
Problem here is its not throwing results in stats formate --- means ' stats count by FROM_IP, uid’ field is not working – Misrty vib Nov 12 '20 at 09:01

Need table o/p with each FROM_IP its related uid

1 Answers1