https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136040#M37213 <P>Sure - this looks like a search that returns information. However, it probably won't get the categories you are looking for. The below splits out the categories into the cim field "category". If this works for what you are looking for, then it makes sense.</P> <PRE><CODE>index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app category="Malicous Sources" OR category="Botnets" | stats count by username,host,referrer | where count&gt; 1 | table _time username,host,referrer filter_results </CODE></PRE> Tue, 23 Sep 2014 16:30:26 GMT alacercogitatus 2014-09-23T16:30:26Z https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136036#M37209 <P>index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app categories="Malicous Sources" OR "Botnets" | stats count by username,host,referrer | count&gt; 1 | table _time username,host,referrer filter_results</P> Mon, 28 Sep 2020 17:39:40 GMT https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136036#M37209 ahmar74 2020-09-28T17:39:40Z https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136037#M37210 <P>Do elaborate on what you actually need help with.</P> Tue, 23 Sep 2014 09:50:39 GMT https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136037#M37210 martin_mueller 2014-09-23T09:50:39Z https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136038#M37211 <P>does the rule make sense to you as is?</P> Tue, 23 Sep 2014 11:57:47 GMT https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136038#M37211 ahmar74 2014-09-23T11:57:47Z https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136039#M37212 <P>There's likely a syntax error in <CODE>| count &gt; 1 |</CODE> due to lack of a search command such as <CODE>search</CODE> or <CODE>where</CODE> - both will achieve what you wanted and throw out events with <CODE>count=1</CODE>.</P> Tue, 23 Sep 2014 14:55:30 GMT https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136039#M37212 martin_mueller 2014-09-23T14:55:30Z https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136040#M37213 <P>Sure - this looks like a search that returns information. However, it probably won't get the categories you are looking for. The below splits out the categories into the cim field "category". If this works for what you are looking for, then it makes sense.</P> <PRE><CODE>index=app_proxy sourcetype=bcoat_proxysg_app OR sourcetype=bcoat_proxyclient_app category="Malicous Sources" OR category="Botnets" | stats count by username,host,referrer | where count&gt; 1 | table _time username,host,referrer filter_results </CODE></PRE> Tue, 23 Sep 2014 16:30:26 GMT https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136040#M37213 alacercogitatus 2014-09-23T16:30:26Z https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136041#M37214 <P>Additionally, after the <CODE>stats</CODE> there are no <CODE>_time</CODE> and <CODE>filter_results</CODE> columns, so listing them in <CODE>table</CODE> doesn't seem to make sense to me.</P> Wed, 24 Sep 2014 08:55:29 GMT https://community.splunk.com/t5/Splunk-Search/New-rule-in-detecting-multiple-requests-for-a-known-Malicious/m-p/136041#M37214 martin_mueller 2014-09-24T08:55:29Z