I have this splunk query that returns two fields, "auditeventname" (the name of the event) and "failureRate" (the rate of failure).
| stats count(eval(actvy_dispos_cd=4)) as Failure, count(eval(actvy_dispos_cd=1)) as Success, count(eval(actvy_dispos_cd=3)) as PolicyDenied by audit_event_name
| eval successRate = Success/(Success + Failure)
| eval successRate = round(successRate, 4)
| eval failureRate = (1 - successRate) * 100)
| where failureRate > 0.5
| fields audit_event_name, failureRate
However, there is this one auditeventname "SUBMITLOGINCREDENTIALS_PCOS" that should have a failureRate > 0.6 instead. How would I implement that? I've tried using subsearches but it didn't work quite well for me. Thanks for any and all help!