I'm using the Enterprise Security Web Center search for Top Sources. I'd like to append what the top destination for each top source is to the chart so I can see where they may be calling to a majority of the time. Does anyone know the best way to do this? I just want TOP Web.dest by src limit 1 but I'm not sure the syntax. The default search is below.
| `tstats` dc(Web.dest),count from datamodel=Web where earliest="-24h@h" latest="now" by Web.src | eval group="current" | `tstats` append=true dc(Web.dest),count from datamodel=Web where [| `make_previous_time_range("-24h@h","now")`] by Web.src | fillnull value="historical" group | stats dc(Web.dest) as dc_dest,count by Web.src,group | `drop_dm_object_name("Web")` | eval dc_dest=if(group="historical",0,dc_dest) | eval current_count=if(group="current",count,0) | eval historical_count=if(group="historical",count,0) | stats max(dc_dest) as dc(dest),sum(current_count) as current_count,sum(historical_count) as historical_count by src| `get_delta` | rename delta as delta_count | eval count=current_count | eval abs(delta_count)=abs(delta_count) | sort 100 -abs(delta_count)
↧