In extreme search, i would like to know what this statement means and how it is derived by Splunk
"xwhere count from countbysignature1h in idsattacks by signature is above medium"
The above applies for src, dest_port etc. I wanna know how "medium" is calculated,
from - https://answers.splunk.com/answers/294454/splunk-app-for-enterprise-security-how-to-debug-xs.html
To view a context, you can use the command "xsDisplayContext". In the example you have above, you would run this search command:
| xsDisplayContext 'count_by_signature_1h' in 'ids_attacks' by 'xy signature'
also please check this app - Extreme Search Visualization