Would someone be able to help me understand how do to this? I would like to modify the built in dashboard in the InfoSec APP to exclude a specific source IP address. The default search the dashboard uses is below.
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks where * IDS_Attacks.severity="*" by IDS_Attacks.signature, IDS_Attacks.severity | rename "IDS_Attacks.*" as "*" | sort severity
Currently, that dashboard visual is full of events from my vulnerability scanner running scans.