weblogs summary useragents
Probably Legit User Agents - threshold >3
sourcetype=whatever ua!="" ua!="*legit*" | fields ua | cluster labelonly=t field=ua t=0.4 | stats dc(ua) as cua, values(ua) as vua by cluster_label | where cua > 3 | table cluster_label, vua, cua
Anomalous User-Agents - threshold >=3
sourcetype=whatever ua!="" ua!="*legit*" | fields ua | cluster labelonly=t field=ua t=0.4 | stats dc(ua) as cua, values(ua) as vua by cluster_label | where cua <= 3 | table cluster_label, vua, cua
sourcetype is the squid proxy log