Hello,
I'm trying to count the number of failed logins in a 10 min span. Here is my search:
host=.." AND gateway_username != "''" | transaction fields="src_ip,gateway_username" startswith="'ZV_REJECT'" endswith="'ZV_ACCEPT'" manspan=10m
How can I search for a log with 9 rejects or more and an accept at the end ?
Best regards
Thomas
How about this? Assuming there is a field called "Status" which will have values like ZV_REJECT AND ZV_ACCEPT.
host=.." AND gateway_username != "''" | transaction fields="src_ip,gateway_username" startswith="'ZV_REJECT'" endswith="'ZV_ACCEPT'" maxspan=10m | where eventcount>9 AND mvcount(Status)=2
How about this? Assuming there is a field called "Status" which will have values like ZV_REJECT AND ZV_ACCEPT.
host=.." AND gateway_username != "''" | transaction fields="src_ip,gateway_username" startswith="'ZV_REJECT'" endswith="'ZV_ACCEPT'" maxspan=10m | where eventcount>9 AND mvcount(Status)=2
That's exactly what i want. Thank you 🙂