Want to improve the TSTAT for the "Substantial Increase In Port Activity" correlation search.

| tstats allow_old_summaries=true count,values(All_Traffic.tag) as tag from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest_port 
| `drop_dm_object_name("All_Traffic")` 
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme

Was able to add the "action" field to determine if it was allowed or blocked with the below.

| tstats allow_old_summaries=true count,values(All_Traffic.tag) as tag from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" by All_Traffic.dest_port All_Traffic.action 
| `drop_dm_object_name("All_Traffic")` 
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme

I want to be able to use the EVAL to concatenate several fields and use the TIMECHART to determine the previous x days volume of the same traffic. I have tried the below, but it does not show results. Thoughts or suggestions for using the EVAL to concatenate within a TSTAT? Thank you in advance for your time.

| tstats allow_old_summaries=true count,values(All_Traffic.tag) as tag from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" by All_Traffic.dest_port All_Traffic.action All_Traffic.dest_ip All_Traffic.src_ip
| `drop_dm_object_name("All_Traffic")` 
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme
| eval session= All_Traffic.src_ip."->".All_Traffic.dest_ip."/".All_Traffic.dest_port." was ".All_Traffic.action
| timechart span=1d limit=0 count by session