Thanks for sharing. I'm not in the habit of sharing queries. This one in particular was written by a 3rd party so I'm not sure i can legally share it in whole. The mention of limits led me to test with 8 hour windows instead of 24 hours and this did result in queries which no longer failed to return the results without removing results. The query looks like this index=ind | where (cidrmatch(....,src ) OR cidrmatch(...,src)) OR (cidrmatch(...,dest) OR cidrmatcht(...,dest)) AND src!="<IP>" | stats dc(dest) as dcounter, values(dest) as dip by src,dest_port | where dcounter >= 500 | eval nowtime = strftime(now(),"%d/%b/%Y:%H:%M:%S") | eval tip = mvindex(dip,0) | eval alerting = "scan" + dcounter + "port" + dest_port | table nowtime dip tip alerting While writing alternates to this query it was found using long "| stats" does not matter too much but adding some keys such as user when use "... as <name> by <key1>,<key2>,<key>" does cause the same issue I've encountered this a few years ago but was not allowed to keep the notes on how to fix
... View more
