Hi All,
I have a datamodel "Authentication". This datamodel is already been accelerated.I require two more fields to be extracted from this datamodel. I have used the below query for excessive logins but does not seems to give results. Please advice.
| from datamodel:"Authentication"."Failed_Authentication"
| rex field=_raw "Result Code:\s+(?.*)"
| rex field=_raw "EventCode=(?\d+)"
| search 'event_code'=4768 AND 'result_code'=0x17
| stats dc(dest) as "dest_count",dc(user) as "user_count" ,count by "app","user"
