Can anyone help me get the count for Top 5 plus an Others count for the following please? Thank you
sourcetype="cisco:asa" action=blocked | stats count by src_ip, dest_ip, dest_port | sort - by count | rename src_ip as Src, dest_ip as Dest, dest_port as Port | addcoltotals
Try this:
sourcetype="cisco:asa" action=blocked
| top 5 src_ip, dest_ip, dest_port useother=t
| rename src_ip as Src, dest_ip as Dest, dest_port as Port
| addcoltotals
Try this:
sourcetype="cisco:asa" action=blocked
| top 5 src_ip, dest_ip, dest_port useother=t
| rename src_ip as Src, dest_ip as Dest, dest_port as Port
| addcoltotals
Awesome, Thank you
Also, I want to keep a totals row at the bottom. So the top 5, then an others row plus a Totals row.