Hello

I have this query:

"| tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication  where earliest=-1d by Authentication.action,Authentication.src,index | `drop_dm_object_name(\"Authentication\")` | eval success=if(action=\"success\",count,0),failure=if(action=\"failure\",count,0) | stats values(app) as app,sum(failure) as failure,sum(success) as success by src,index | where success > 0 | `mltk_apply_upper(\"app:failures_by_src_count_1d\", \"medium\", \"failure\")` | table userPrincipalName, state"

1. I need to add user to the query but I didnt find user field on this datamodel  (used this stats dc() as * | transpose)

How can I find all the fields there ? 

2. Also, shows app list + number of failures + number of successes, but but no correlation of failures/successes to apps, how can I add this?

3. How can I add failure reason ?

thanks!