This search will display port numbers from the Endpoint datamodel | tstats 'summariesonly ' count from datamodel=EndPoint.Port.dest_port  I would like to create a search that will show other fields like dest_bunit with the port. Without the datamodel I could just do a stats count by dest port.  I'm not sure how to replicate this query using the datamodel.  ... View more

index=proxy sourcetype=bar | stats count by blockedAction | addtotals fieldname=grandTotal | eval percentBlocked = round((blockedAction/grandTotal)*100,1) I'm trying to show the amount blocked as a percent of total traffic. BlockedAction is a field that was created. ... View more