Thanks for the reply Sundaresh, I have used this query, since this is for firewall logs this query is using too long to execute the result. So I have to break down the time range. Do you have any suggestions based on index summary. The current query that I am using is
index=firewall sourcetype=* action="allowed" NOT dest_ip="10...*" NOT dest_port="443" NOT dest_port="80" | sistats count by src_ip dest_ip dest_port
Any feedback on this would help me to work on my assigned engagements 🙂
Thanks,
... View more