Can someone please help me finish an alert I am trying to do below? I would like to set the alert to notify me once the count reaches 10k and then send me a list of the top 10 SRC_IPs. However, when I put in the search `count > 10000`, it removed the src_ip entries.
Here is my search string so far.
sourcetype="cisco:asa" action=blocked | stats count by src_ip, dest_ip, dest_port | sort - by count | rename src_ip as Src, dest_ip as Dest, dest_port as Port | addcoltotals
↧