I saw you respond to the first answer that it wasn't you wanted, so just trying to be sure we all understand exactly what you do want.....
When you say failed 3 times, do you mean 3 times in one day? Or 3 times over the entire previous month? And then depending on that answer, what do you by 3 consecutive days. So a user had a failed logon at least 3 times per day for 3 consecutive days? Or just 3 consecutive and at least 3 times over the month?
I'm also confused a bit on what you want returned. Could you elaborate a bit on what "the name of the agent and total user counts" means? And/or, given the sample data you provided, exactly what sort of results would you expect to see?
And since you do want to see agent in the results, are the failed logon requirements at the agent level too? Meaning, if a user has a logon failure 3 days in a row but 2 days are for one agent and 1 day is for another, does that count?
Sorry for making you confuse.
What i want is
We can ignore the agent part for now first.
I hope that you can understand better on what i want.
Thanks a lot for your time
See if this works
index="SM" AuthReject uid=* earliest=-30d@d | bin span=1d _time | stats count by uid _time | where count>2 | delta _time as d | transaction d uid maxevents=3
Not what i wanted. But thanks a lot for your effort!