SO I am doing a search command for failed authentication events that results in a data stream of the UserID and the count of events, and their time. I have tried many combinations of all kinds of variations of the sort command, and trying to modify the timechart parameters. The stream uses a rex command to generate a field called 'failedAuthUser' that represents the user id of the account failing the authentication.
Here is what I have:
"search" | sort num(count) | timechart count by failedAuthUser*
I am trying to get the legend to display the users that have Failed Auth events in order of highest count to the lowest. I have tried to put the sort command before and after the timechart command, and no impact, and nothing I can find in searching Splunk support resources gets me what I am looking for. This must be doable - right?
... View more