I'm trying to create an alert. The alert's query ends with " | stats values(*) as * by actor.displayName | stats count(actor.displayName)".
I want to add the clause, " | where count > 5" at the end of the query. To verify that the query would work, I changed it "| where count < 5", but I'm getting no results.
| stats count(actor.displayName)
will give you a field called "count(actor.displayName)" not "count" which is why the where command returns no results. Try it like this
| stats count(actor.displayName) as count | where count < 5
I removed "(actor.displayName)" from the first "count" command and it works now.