I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10.
| rex field=_raw "(?<Message>Security\sviolation)\s\S+\s\S+\s(?<User>[A-Z0-9]+)"
| eval Time = strftime(_time, "%m-%d-%Y %H:%M:%S")
| rename JOBNAME as Jobname Time as Date
| eval Workload = substr(Jobname,1,3)
| stats count(Message) as "Security Violations" by Jobname User
Resulting table
User | Security Violations |
ABC | 1 |
DEF | 4 |
GHI | 12 |
JKL | 3 |
XYZ` | 20 |
Thank you,
| where 'Security Violations' > 10