I have the following search that looks for a count of blocked domains per IP:
index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count by src_ip
How would I limit the results to the top 10 IPs and still retain the count of blocked domains per IP? I've tried limit and head commands, but it nullifies the count of blocked domains per IP format.
Thx
↧