Mostly spam comes from eMails in my case we are using, index=mail [search index=* attach*|fields message_id ] | rex field=_raw "(?im)ATTACH|(?P.+)" | rex field=_raw "(?im)ATTACHFILTER|(?P.+)" |rex "(?im)IRCPTACTION|(?P.+)"|rex "(?im)SENDER|(?P.+)"| rex "(?im)IRCPTACTION|(?P\w+@\w+.\w+)|(?P\w+)" | stats count values(suspicious_file) as suspicious_file values(malicious_sender) as malicious_sender values(recipient_user) as recipient values(_raw) values(action) as action by message_id _time | sort - count| search action=deliver|table message_id _time malicious_sender suspicious_file recipient ... View more

you can bin _time and then count the number of bins that something appears in: maybe something like eval foo = host + " : " + dest| bin _time span=1h |stats count foo AS concount by _time | stats value(concount) count by foo This should give you the numbers of connections per hour and the number of hours that they occurred. ... View more