That gets me closer but doesn't break out each severity per hour, per day, average. It still doesn't populate the average number of events and I can't seem to figure out why.
... View more
Without seeing your search results, these are all best guess...
... | bin span=5m _time | stats count by source_ip sourcetype _time | where count > 1
You can test this with internal logs easily :
index=_internal | stats count by sourcetype source _time | bin span=5m _time | where count > 1
... View more