I am basically trying to accomplish the following now. Screenshot attached (Example in green) I want a count of how many IP's the source is hitting and to now show the IP's, just a count. index=pan_logs eventtype=pan_traffic dvc="FD0*.*" action=allow OR action=allowed OR action=alert app=sip OR dest_port=5060 OR dest_port=5061 AND src_ip!=10.0.0.0/8 AND src_ip!=172.16.0.0/12 AND src_ip!=192.168.0.0/16 AND src_zone=*-untrust | stats values(rule) AS "Firewall Rule" values(dest_port) AS "Destination Port" dc(dest_ip) as dest_count count as "Total Count" by src_ip vendor_action app dvc vsys_name | sort by "Total Count" desc limit=10 | where 'Total Count' > 500 AND dest_count > 5 | eval range = mvrange(0, if(dest_count < 10, dest_count - 1, 5)) | eval dest_ip = mvmap(range, mvindex(dest_ip, range)) | fields src_ip dvc vsys_name dest_ip app "Destination Port" "Firewall Rule" vendor_action "Total Count" | rename src_ip AS "Source IP", vendor_action AS "Action", dvc AS "Device", vsys_name AS "Virtual System", app AS "Application", dest_ip AS "Total Dest IP Count", "Total Count" AS "Count"
... View more