Hi all, i need to count the event of today and compare with the average of the last month daily count by dest.
I'm using a query like this that separate the ip's and now i have to show the average of count by the same dest
eventtype="searchIPS1" DestinationIP!="N/A" Severity="Medium" |eval dest=case(DestinationIP=="1.1.1.1", "sshDMZ", DestinationIP=="1.1.1.2", "sshDMZ", (DestinationIP!="1.1.1.1" AND DestinationIP!="1.1.1.2"), "Others") | stats last(count) as today_count avg(count) as avg_count
for example:
dest | today_count | avg_count
sshDMZ | 8 | 5,67
others | 7 | 9,89
thanks to all who can help me
... View more