it is possible to create report with grouping fields and number of events? Something like this: ip.src, ip.dst, count
In 10.4, you can use lookup_and_add with count. Refer SAdocs for additional syntax,https://sadocs.emc.com/0_en-us/090_10.4_User_Guide/90_Report/10_Rule/00_RuleOverview/RulSyntax/NWDBRulSyntax
Where-->ip.src exists && ip.dst exists
In 10.5 upcoming release, there is native support of group by and order by and syntax would be like,
Group by--> ip.src,ip.dst
Order by-->any of the meta fields available in Select
Not easily unless you have the warehouse component.
The best you can do for now is to use aggregate and lookup_and_add() - see sadocs.emc.com for examples.
This feature is coming in 10.5. Concentrator will have native support for group by and order by clauses in the query language.
Retrieving data ...