i try to buildup a firewall report:
"sourcetype="firewall" action=blocked | table host src dest srcport destport"
this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like
HOST | SRC | DEST | SRCPORT | DESTPORT | COUNT
that would give a nice overview.
The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?
sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port