The following search will give the count of attacks by attacker_IP and destination branch.
index=waf Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort -count
Now I just want to show the top 10 attacker IPs per Branch based on their high count.
Help is always appreciated.
Thanks!!
try this!
index=waf Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort branch .- count|dedup 10 branch
I think the top
command will do that. Try this
index=waf Name=block | lookup Branches IP AS dest OUTPUTNEW branch | stats count by src branch | sort -count | top limit=10 count by branch
Not working for me.