I am trying to see how many time a user fail a log on.
index=WinEvent Event=4625 user=* | timechart span=15m count by user usenull=f where count >3
I am getting event but I am getting the sum of the event within the week time span. How would I be able to to exclude the 0 results from the timechart? Or should I use the Chart command?
I am trying to do it if the count if over 3 in a 15 minute time span I want to see the events if not I don't want to see it.
index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user | search count > 3
thanks to gpradeepkumarredd
Make sure to you bin before stats command. I made the mistake of putting it after.
Sorry. What I meant was I want the time to be group for 15 minute intervals and show me that count there. Researching more of it and seems I might need to do an eval command.
For some reason it is not grouping them. I am seeing a lot of event with the same _time but the count is 1 even thought I am seeing about twelve events with the same time.