Webproxy search help

Path Finder

Hi I've got this webproxy ES base search where I'm trying to show high number of destinations from a low number of sources. I would also like to throttle the search by going back 24hr, then only looking at the most recent time. How best to do that?

| tstats `summariesonly` count min(_time) as first_seen max(_time) as last_seen values(Web.action) as Web.action from datamodel=Web.Web WHERE index=webproxy Web.action=allowed
by Web.src Web.dest
| `drop_dm_object_name("Web")`
| convert ctime(*_seen)
| lookup dnslookup clientip AS dest OUTPUT clienthost AS dest_host
| lookup dnslookup clientip AS src OUTPUT clienthost AS src_host
| search NOT src_host=drekar-rancher-ccena*
| sort - count


Labels (3)
Tags (1)
0 Karma

Path Finder


0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!