sourcetype=”mail_pop3″ [search sourcetype=”mail_pop3″ | top 100 pop3_loginfailed_ip | rename pop3_loginfailed_ip as pop3_signingon_ip | fields pop3_signingon_ip | outputcsv pop3_loginfailed_ip_top10.csv] [| inputcsv pop3_loginfailed_ip_top10.csv | return 10 pop3_signingon_ip] | stats count by pop3_signingon_ip, pop3_signingon_id
綠色:
這個搜尋主要是將POP3_loginfailed_ip的前10名輸出至pop3_loginfailed_ip_top10.csv檔案
並且同時將pop3_loginfailed_ip的欄位名稱以pop3_signingon_ip取代,以便後續input的時候使用
藍色:
接著就輸入pop3_loginfailed_ip_top10.csv檔案,並且依據pop3_signingon_ip這個欄位產生10組搜尋語法
假設pop3_login_failed_ip_top10.csv的內容為
"pop3_signingon_ip", "_tc"
"206.54.106.82", 61296
"119.42.150.122", 61296
"211.79.36.249", 61296
"219.68.232.164", 61296
"59.124.81.159", 61296
則”return 10 pop3_signingon_ip“這句話會變成
search pop3_signingon_ip=”206.54.106.82″ OR pop3_signingon_ip=”119.42.150.122″ OR pop3_signingon_ip=”211.79.36.249″ OR pop3_signingon_ip=”219.68.232.164″ OR pop3_signingon_ip=”59.124.81.159″
也因為這樣~才會先輸出成csv再匯入那麼麻煩
所以兜起來就變成先將錯誤登入的前10名IP匯出至csv,再由csv匯入時取得透過這些IP登入成功的帳號、IP累積次數