Hi,
the bin command conveniently provides time slots.
But where do they start? It seems always on the next fitting clock time like 10:00, 10:05, 10:10 for a bin of 5min.
But, if I want to identify failed logins within a 5min window, that window of course needs to start at the first failed login, not any fixed timestamp.
Any ideas how to make that work?
thx
afx
for that use-case, try and use streamstats
there are many answers here regarding finding many failed login in certain amount of time
Thanks,
I ended up with this:
| streamstats time_window=5m sum(eval(match(action,"failure"))) AS action_count BY user
| where action_count>4