So, this is totally for my own network so you'll have to adjust it for your own needs (just fieldnames), but it searches a 30 second window counting what you need.
index=fw src_ip=*
| sort - _time
| streamstats time_window=30s dc(DST) as CountOfDistinctDests, count(DST) as CountOfDests, values(DST) as DestsList
| stats list(DestsList) AS Destinations, sum(CountOfDistinctDests) AS "Count of Distinct Destinations"
sum(CountOfDests) AS "Count of Destinations" BY src_ip
| search "Count of Destinations">5
| table src_ip, Destinations, "Count of Distinct Destinations", "Count of Destinations"
So, fix up the fields (DST, src_ip, etc...) and obviously the index and stuff at the base search.
... View more