| timechart count by c_ip generates a chart with the number of events matching "c_ip" That is what I want, number of events of "c_ip" and an alert if any single value for c_ip events exceeds the events matching c_ip=10.1.1.50 ... View more

Oh that is awesome. But I can see how my question was less than clear. I thank you a TON for replying, and indeed the query did work! What I am looking for is hits on a website. Basically all web traffic goes through a reverse proxy outside. However, if we have a misconfigured device from time to time internally that will get stuck in a loop and hit the website thousands of times in a short period of time, I want to catch it before others suffer the essential accidental DoS. So, what I am looking for is when a single IP address hit count exceeds the hitcount of the IP address that is the reverse proxy (10.1.1.50 (which should have the highest hit count), I would like to make an alert that this has occurred. The other addresses are devices that do routine maintenance and occasionally slam the server, but it occurs at a time we aren't worried about, which why I am excluding them. Does this help? Any thank you VERY much for the reply, I already have an idea how to put that to use now that I see how it works 🙂 ... View more