_index=security_logs _sourceCategory=fw_security "type=\"traffic\""
  | parse "dstip=* " as dstip
  | where !(dstip matches "10.*" OR dstip matches "172.16.*" OR dstip matches "192.168.*")
  | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = dstip
  | timeslice 5m
  | count by _timeslice,country_name
  | order by _count
  | transpose row _timeslice column country_name as *