I have this search I want to only display results for when the sum(failures) is higher than 4 how can I do this?
(index=infrastructure-os OR index=main) sudo "incorrect password attempt*"
|rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
|stats sum(failures) by user, host
| where user!="addm"|
Try this!
(index=infrastructure-os OR index=main) sudo "incorrect password attempt*"
| rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
| stats sum(failures) as totalFailures by user, host
| where user!="addm" AND totalFailures > 4
Notice that you can give a name to the results of the stats calculation. Once it has a field name (totalFailures
), you can use it in further commands...
Try this!
(index=infrastructure-os OR index=main) sudo "incorrect password attempt*"
| rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
| stats sum(failures) as totalFailures by user, host
| where user!="addm" AND totalFailures > 4
Notice that you can give a name to the results of the stats calculation. Once it has a field name (totalFailures
), you can use it in further commands...
That worked! Thanks