index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan") | bin _time span=1h | stats count by _time,src_ip,dest_ip,app | stats values(dest_ip) AS dest_ip , sum(count) AS count by _time,src_ip,app | table _time, src_ip ,app, dest_ip , count index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan") | bin _time span=1h | stats count by _time,src_ip,dest_ip,app | stats values(dest_ip) AS dest_ip , sum(count) AS count values(app) AS app by _time,src_ip | table _time, src_ip ,app, dest_ip , count What's the difference if the app changes?
... View more