SPL
Find success login after 10 failures with streamstats
6 1
Description
If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts!
| from datamodel:"Authentication"."Authentication" | search action=failure or action=success | reverse | streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by src | where action="success" and failure_count > 10
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.