The streamstats count command creates a field called eventCount that displays the amount of events from the fieldname you specify: | streamstats count as eventCount by fieldname
Find success login after 10 failures with streamstats
If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts! | from datamodel:”Authentication”.”Authentication” | search action=failure or action=success | reverse | streamstats window=0 current=true reset_after=”(action=\”success\”)” count as failure_count by src | where action=”success” and failure_count > 10