Add action=allowed

Author: TonyPhipps

Signatures/Splunk/panorama-src_ip-dest_port-spike.md

@@ -1,4 +1,4 @@
-index=pan_logs sourcetype=pan:traffic earliest=-1h
+index=pan_logs sourcetype=pan:traffic action=allowed earliest=-1h
 | stats dc(dest_port) as dest_port_count by index, src_ip
 | where dest_port_count > 100
 | table index, src_ip, dest_port_count