Try this. It will give you the top 10 repeat offenders, but depending on your data they may all be on the same day.
'... | stats count(_time) AS Occurs by src_ip | where Occurs > 6 | top limit=10 Occurs,src_ip | ...
'
This one works. Tweaking...Thanx Martin
How 'bout this then?
index=yourIndex sourcetype=yourSourceType earliest=-7d@d | eventstats dc(date_mday) as days by src_ip | where days > 1 | top limit=10 src_ip
Try this. It will give you the top 10 repeat offenders, but depending on your data they may all be on the same day.
'... | stats count(_time) AS Occurs by src_ip | where Occurs > 6 | top limit=10 Occurs,src_ip | ...
'
I think it will. See martin_mueller's comment.
Would (date_mday) work better than _time to make sure it is only counting the days rather than time entries?
No, it works but need only IP
s with date returned if they have been denied more than 1 day over search period
something like this will work?
index=yourIndex sourcetype=yourSourceType earliest=-7d@d | top limit=10 src_ip