hi ,
I need help writing a query to fetch the details for the below mentioned logic
For the firewall logs, accept events from same source IP more than 100 times, to more than 3 destination IP
Thanks
Perhaps this will help.
index=firewall | stats count dc(dst_ip) as dst_count by src_ip | where (count > 100 AND dst_count > 3)