I run a Splunk query to see events from my web application firewall. I filter out certain violations by name, using a NOT and parenthesis to list out violations i don't care to see.  My network is subject to attack and my query, which i use to look for legitimate users being blocked, will be inundated by various IPs generating 100s of events. How can i table fields so i can see the data i want per event, but also filter out a field if that fields event count is greater than a value? Simple example is an IP is seen from a facility once for a block in the last 15 minutes. Another IP, was seen 400 times as part of a scan. I want to see the 1 (or even 10) events by a specific source IP, but not the 400 from another. I know i can block all of the IP, or part by a wildcard, but that gets messy and can lead to too many IPs in a NOT statement. Current table info to my query table _time, event_id, hostname, violation, policy, uri, ip_client | sort - _time Adding a stats count by ip_client only shows the count and ip, losing the other data and the event IDs will always be different, so the count will never be higher than 1. It would be nice if i could do something like "| where count ip_client<=10" to remove any source IPs that show up more than 10 times in the results. ... View more