We use Workday as our payroll system and have a Workday add-on with logs in an index called dmcworkdayindex. I want to see the attempts over 5 to change direct deposit information within Workday that are coming from unknown source IP's. We thought something like below which works except for the last part referring to the != expression. I want something more efficient anyway. Hoping someone has a few good suggestions.
index=dmcworkdayindex taskDisplayName="Manage Payment Elections" | stats count by ipAddress | where (count > 5) ipAdress != "184.108.40.206/16"