I currently have a saved search. The command is as follows:
rt_idp (source_address=[ip range]) | top limit=100 source_address, attack_name, threat_severity, source_zone_name, destination_zone_name | lookup dnsLookup ip as source_address | sort threat_severity, source_address
I'd like to add destination_address as one of the values reported, but if I add the field to the 'top' command, I get multiple lines for each source_address, one per dest. I'm wanting just one line per source, with perhaps the top destination, it's DNS name, and the percentage of attacks from the source that were directed at said top destination.
Anyone know how to accomplish this?