So I've been asked to determine what the top 5 events are on our network from the traffic, which is simple enough, but then they want timecharts for each event, with the top 10 IPs reporting. Again, pretty simple stuff.
However, I know how to do it if I statically determine the top 5 events (one for each):
sourcetype="type" Event="eventtype" | timechart count by IPAddress
But is there any way to edit the search so that it generates a timechart for whatever the top event happens to be at that time (and then #2-#5)? Say, #6 suddenly becomes #5? Can't seem to figure it out.
EDIT: And I know that the top 10 IPs for each event could be different, hence why 5 separate charts are necessary.
Thanks!
... View more