Hi All,
I have a datamodel "Authentication". This datamodel is already been accelerated.I require two more fields to be extracted from this datamodel. I have used the below query for excessive logins but does not seems to give results. Please advice.
| from datamodel:"Authentication"."Failed_Authentication"
| rex field=_raw "Result Code:\s+(?.*)"
| rex field=_raw "EventCode=(?\d+)"
| search 'event_code'=4768 AND 'result_code'=0x17
| stats dc(dest) as "dest_count",dc(user) as "user_count" ,count by "app","user"
One cannot add fields to a datamodel while it is accelerated. The UI should make that clear.
It is possible to extract additional fields from those returned by a data model. I'm unaware, however, of any datamodel that produces a field called "_raw".
One cannot add fields to a datamodel while it is accelerated. The UI should make that clear.
It is possible to extract additional fields from those returned by a data model. I'm unaware, however, of any datamodel that produces a field called "_raw".