I believe the following search displays the number of connections in one hour over 24 hours. I am looking for a search to show connection count over a 10 minute span in the last 24 hours. Trying to find persistent connections. 1 connection to an external IP every 10 minutes for 24 hours.
index=firewall earliest=-24h@h latest=@h | bucket time span=1h | stats count by _time, dst, dstport | eventstats count(eval(count>0)) AS hoursnonzero BY dst dstport | search hoursnon_zero>=24