cmerriman,
the query you gave does not do the math of subtracting total and success. let me elaborate :
if a user logged in successfully we see "login success"
if a user was unable to login we see "login fail"
but a user who failed to login might login successfully in second attempt.
so I am trying to find the count of users who failed to login only and did not successfully login.
in my query:
index="test1" sourcetype="test2" "login success*" OR "login failed*" | timechart span=1d dc(user) as total | append[ search index="test1" sourcetype="test2" "login success*" | timechart span=1d dc(user) as success] | eval fail=total-success | timechart span=1d count(fail)
total contains all users who failed or succeed login, success contains users who logged in successfully only, so the difference of total and success will give me true failure count.
how do I do this?
... View more