Hello, I have struggled with alerting a specific search I've made.
EVENT_TYPE="Login" LOGIN_STATUS=* [search EVENT_TYPE="Login" LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" | stats count by USER_ID | table USER_ID] | stats latest(LOGIN_STATUS) AS LOGIN_STATUS latest(USER_NAME) AS USER_NAME latest(UserAccountId) AS "Account Id" latest(USER_TYPE) AS "User Type" latest(TIMESTAMP) AS "Time stamp" by USER_ID | where LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT"
Which results in this
I have tried number of results > 0 search USER_ID> 0 I tried using field tokens such as $RESULT.userid$ > 0
Does anyone know how I can edit my search or trigger to actually trigger when I receive results?
For my other alerts that worked, for some reason this one refuses to set off. It's like it doesn't recognize the results as results. I'm using an email alert to my email and checked my triggered alerts page, I did not see it on there.