SPL
Find success login after 10 failures with streamstats
Description
If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts!
6 1
| from datamodel:"Authentication"."Authentication" | search action=failure or action=success | reverse | streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by src | where action="success" and failure_count > 10
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.