So, I am not clear whether this has been asked before, but I'll ask it directly.
I want to present the results of my search as a table of selected fields, without having to invoke the stats count by {Field1},{Field 2}, etc. I suspect there is going to be some use of the eval command.
sourcetype=firewall dest_port>=3500 dest_port<=3800 | stats count by srcip,dest,dest_port
also, I would like to be able to aggregate the source IPs and/or the port as you might see in the Threat Activity dashboard.
Thanks beforehand for any help.
... View more