Hi,

I want to do a predict command in conjunction with my login logs to see if there's any anomalous behaviour user by user. How am I able to do a predict command that can do a predict line per user?

Here's the search so far:

| from datamodel:"Authentication"."Successful_Authentication" | search sourcetype=mysourcetype
| timechart span=2h count(action) by user

I want to adjust it to fit with the MLK Numeric Outliers search:

| inputlookup logins.csv | predict logins as prediction algorithm=LLP future_timespan=150 holdback=0 | where prediction!="" AND logins!="" | eval residual = prediction - logins
| streamstats window=72 current=true median("residual") as median
| eval absDev=(abs('residual'-median))
| streamstats window=72 current=true median(absDev) as medianAbsDev
| eval lowerBound=(median-medianAbsDev*exact(9)), upperBound=(median+medianAbsDev*exact(9))
| eval isOutlier=if('residual' < lowerBound OR 'residual' > upperBound, 1, 0)