I'm going to check the permission and rejection of the scan attack per hour. At this point, what I wrote... Which is appropriate, Vlaues or the list?
Also, which one is suitable, stats or stream st...
See more...
I'm going to check the permission and rejection of the scan attack per hour. At this point, what I wrote... Which is appropriate, Vlaues or the list?
Also, which one is suitable, stats or stream stats? index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan") | bin _time span=1d | stats count by _time,src_ip,dest_ip,app | stats values(dest_ip) AS dest_ip , values(count) AS count by _time,src_ip,app | table _time, src_ip ,app, dest_ip , count