Hi Everyone,
I'm trying to craft a timechart that shows the top "hits per source" and then only display the top source per the 5 minute span.
something like this "sourcetype=firewall | timechart span=5m count by src limit=1"
but this will only display 1 source, not the 1 top source per slice of time.
Thoughts?
... View more