I am new to splunk and not an pro in scripting, any help will be appreciated. I am trying to write a query where it will display data for reoccurring failed login attempts for a period of three days where count = or more then 50.
EG: if the user failed to login 60 times today and 10 times for the next two days - the alert should not fire but if the user failed to login 60 times today, 70 tomorrow and 55 on the third day - it should fire with the details that I ask for.
I have written the below query thus far but I am not able to figure the "3 days" part and how it should be written,
sourcetype=wineventlog:security action=failure | search daysago=3 WHERE count>50 | stats count by user,EventCode,Status,Failure_Reason | sort - count