I have firewall logs coming in. I have a field which is the destination of traffic (dst). I would like to show the total count of the destination field and the count of the unique sources.
So the result would be:
Dst Total Events Sources
184.108.40.206 50 25
220.127.116.11 40 35
18.104.22.168 150 95
I think this does it. Ive done some checks and it appears the numbers line up. Is there a better way or more efficient query I could have written?
dst=* | stats count(dst), dc(host) by dst | sort -num("dc(host)") | rename dst as "Destination IP", count(dst) as "Total Count", dc(host) as "Total Locations"
Im guessing this was the best way.