I am using the following, but I only want to see events if the number dest_ip are 2 or more.
|top 10000 src_ip, dest_ip | stats count, values(dest_ip) by src_ip
Ideas?
I think you need
|top 10000 src_ip, dest_ip | stats dc(dest_ip) as num_dest_ip, values(dest_ip) by src_ip | where num_dest_ip > 2
Does this work?
|top 10000 src_ip, dest_ip | stats count, values(dest_ip) by src_ip | where count > 2