I have managed to create a search that finds users that have failed to login within the last 24 hours but I want to only see users who fail to login 5 or more times.
This is what I have so far:
source="secure" sshd "pam_ldap: error trying to bind as user" | top uid
How can I make it so it onlys shows 5 or more failed logins per user?
Thanks,
You could filter the results of top like so:
... | top uid | where count >= 5
You could filter the results of top like so:
... | top uid | where count >= 5
That worked perfectly thanks.