I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10.
| rex field=_raw "(?<Message>Security\sviolation)\s\S+\s\S+\s(?<User>[A-Z0-9]+)"
| eval Time = strftime(_time, "%m-%d-%Y %H:%M:%S")
| rename JOBNAME as Jobname Time as Date
| eval Workload = substr(Jobname,1,3)
| stats count(Message) as "Security Violations" by Jobname User
Resulting table
| User | Security Violations |
| ABC | 1 |
| DEF | 4 |
| GHI | 12 |
| JKL | 3 |
| XYZ` | 20 |
Thank you,
