I'm putting together a search that lists all of the IP addresses associated with scanning my firewall. Due to the fact that hundreds of IP addresses scan my firewall everyday, I'd like to be able to focus on the ones that found my remote access port. I have a search that correctly lists all scanner IP addresses, but I'm not sure how to then search the distinct values returned by the search within a multi-value column. Can you let me know what to add to this search to filter on only source_ips that hit a destination_port equal to some arbitrary number?
`index=physical_defenses sourcetype=pfsense
| stats dc(destination_port) AS distinct_destination_port_count values(destination_port) AS destination_ports by source_ip destination_ip
| where distinct_destination_port_count>2
| table source_ip destination_ports distinct_destination_port_count`
Thanks