For both of them together, run this one as your summary statistic every 4h, 12h, 1d or whatever, using 1d for this example...
sourcetype="mcafee:wg:kv"
| bin time span=1d
| eval badconnection = if(category="Malicious" OR category="Spam" OR category="Exploit" OR category="Phishing" OR category="Spy" OR category="Pup",1,0)
| stats count as connections, sum(badconnection) as badconnections by src_ip _time
... then run this one on that index at end of month
(that index)
| stats sum(connections) as connections, sum(badconnections) as badconnections, dc(src_ip) as src_ip_count
... View more