What is the best way to trigger an alert based on multiple failed attempts from one machine?
For example: I want an alert when on one machine, more than one user gets locked out.
I tried | stats count by host, user
, but it gives me all locked attempts.
If you want distinct users then use dc:
your base search
| stats dc(user) as distinct_users, values(user) as users by host
| where distinct_users > 1
If you want distinct users then use dc:
your base search
| stats dc(user) as distinct_users, values(user) as users by host
| where distinct_users > 1
something is wrong with this query. I am getting error: in 'stats' command: the output field 'distinct_users' cannot have the same name as a group-by field
Are you also trying to group by users?
Can you post your full query here?
it is fine, I found the problem, thanks for help