I am trying to see how many time a user fail a log on.
index=WinEvent Event=4625 user=* | timechart span=15m count by user usenull=f where count >3
I am getting event but I am getting the sum of the event within the week time span. How would I be able to to exclude the 0 results from the timechart? Or should I use the Chart command?
I am trying to do it if the count if over 3 in a 15 minute time span I want to see the events if not I don't want to see it.
Can you try this?
index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time| search count > 3
Can you try this?
index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time| search count > 3
index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user | search count > 3
thanks to gpradeepkumarredd
Make sure to you bin before stats command. I made the mistake of putting it after.
I converted mine to answer so that you can accept it. Thanks!
Tried that. Getting about the same results. It is still getting me the sum of the counts and not just the 15 mins time span.
oops, try this. Missed adding _time to the stats
index=WinEvent Event=4625 user=* | bin _time span=15m | stats count by user _time | search count > 3
That worked but I am still not about to group it for the 15 mins.
Not following. Can you elaborate?
Sorry. What I meant was I want the time to be group for 15 minute intervals and show me that count there. Researching more of it and seems I might need to do an eval command.
| bin _time span=15m does the same thing. It groups into 15 min buckets.
For some reason it is not grouping them. I am seeing a lot of event with the same _time but the count is 1 even thought I am seeing about twelve events with the same time.
use sum(count) instead of just count ?
That didn't work. Comes with just a blank
Ok I got it right. I had it switched. bin command.
Thanks that got it to work now 😄