Hi all. I'm trying to write a search that will list users with more than 5 failed logins in the past 8 hours and then from that result, show those users that have had a failure in the past hour. I've got the first part working with this search:
index="my_index" sourcetype="my_sourcetype" earliest=-10h@h action="failed login" | stats count by username, action | where count > 5 | table username
I now have a table with the usernames I want to run my secondary search for.
How do I take that table and run a new search against it?