Hello Everyone
I'm a new user.
I would like to search the top 5 user logfail distinct by day in the last 7 days.
I wrote the search below, but I receive the top 5 users in the 7 days (one table with 5 rows), but not distinct per day (one table with 35 rows).
Could you help me?
Thank you in advance
|tag="WINDOWS" (Logon_Type="2" OR Logon_Type="3" OR Logon_Type="7" OR Logon_Type="10") tag=LOGFAIL | eval User_Name=mvindex(User_Name, -1) | eval User_lower=lower(User_Name) | eval Event_day=strftime(_time, "%Y-%m-%d" )| top 5 Event_day User_Name | sort -Event_day
... View more