Hello,
I'm not sure how to achieve this. I need to create an alert for when a field (user) value has > 500 events for when another field (eventType) is filtered on a specific value.
i.e.
User: John
EventType: Blocked
I can't figure it out. Here's what I have so far:
|stats count by user, eventType
|eventstats sum(count) as count by eventType
|stats values(eventType) as Blocked, values(user) as user
|table user, Blocked
|where count>500
Thanks for any help on this,
Tom
Would this do
|stats count by user, eventType
| where eventType == "Blocked" AND count > 500
(Note your code sample says eventType while the text description says EventType.)
Would this do
|stats count by user, eventType
| where eventType == "Blocked" AND count > 500
(Note your code sample says eventType while the text description says EventType.)
Perfect, that did the trick, thank you for the help.