_index=security_logs _sourceCategory=fw_security ("type=\"traffic\"" AND "action=\"deny\"")
  | keyvalue regex "=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" keys "srcip"
  | count as count srcip 
  | sort by count 
  | limit 10