I am getting multiple hits in my IIS logs and want a query to get which IP is hitting multiple times.
and those ips are showing in the error.message field as a string.
A terms aggregation on the ip field may be?
don't have the ip field all ips coming from CDN and showing in the message field some where.
You can't do this then. You need to extract from the raw data a structured content which can then be used for this.
Dissect or grok processors in an ingest pipeline could help.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.