If destination IPs are not of interest at all, you can greatly simplify by eliminating calculations related to values(dest_ip). index=pan_logs eventtype=pan_traffic dvc="FD0*.*" action=allow OR action=allowed OR action=alert app=sip OR dest_port=5060 OR dest_port=5061 AND src_ip!=10.0.0.0/8 AND src_ip!=172.16.0.0/12 AND src_ip!=192.168.0.0/16 AND src_zone=*-untrust
| stats values(rule) AS "Firewall Rule" values(dest_port) AS "Destination Port" dc(dest_ip) AS "Total Dest IP Count" count as Count by src_ip vendor_action app dvc vsys_name
| where Count > 500 AND 'Total Dest IP Count' > 5
| sort limit=10 - Count
| fields src_ip dvc vsys_name "Total Dest IP Count" app "Destination Port" "Firewall Rule" vendor_action Count
| rename src_ip AS "Source IP", vendor_action AS "Action", dvc AS "Device", vsys_name AS "Virtual System", app AS "Application" In the above, I switched the "sort limit=10 - Count" to after "where" clause because it is slightly more efficient. (Note sort doesn't use "by" or "desc" in syntax.)
... View more
