If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts! | from datamodel:”Authentication”.”Authentication” | search action=failure or action=success | reverse | streamstats window=0 current=true reset_after=”(action=\”success\”)” count as failure_count by src | where action=”success” and failure_count > 10