I'm still a little new to splunk searches so I'm not quite sure I understand this search. you bucket all events that span 1 minute then count all internal_ip (not sure what as does or the comma) using _time as an input and declaring connected_ips as a variable somehow? then searching that value for all values greater than 100? As a programmer I'm thinking of more of a foreach loop of some kind, which I also don't really understand in splunk, then counts through each external IP and counts the number of events with a different internal IP in the span of 1 minute and returns that external IP and count of events so I can put in a pie chart.

Could you please help me with this search.

No problem, I'll explain what I was thinking and see if it matches up with what you wanted to accomplish.

First: | bucket _time span=1m

This takes all of your events and essentially rounds their timestamps down to the current minute. This allows you to have a common field _time for all of your events that occurred within the same minute

Next: | stats dc(internal_ip) as connected_ips by _time, external_ip

The stats command allows you to perform operations on your data like count, average, or in this case: Distinct count. Basically I'm telling it to give you a count of the unique internal IP addresses, using as to give it a new field name called connected_ips. Using by we tell the results to grouped by _time (which is now grouped into one minute intervals) and external_ip.

The comma separating the two by fields is optional, I just like to use it for readability.

Finally: | search connected_ips >= 100

Now we tell Splunk to take the previous data and only show the results that talked to 100+ internal IPs. You should now have a result that lists the _time, external_ip, and the number of internal IPs that they connected to.

Does that match with what you were shooting for?

Thank you for the help, that makes much more sense.

You bet. Does that accomplish what you were trying to do?

yes it does. Thank you very much