We use Workday as our payroll system and have a Workday add-on with logs in an index called dmc_workday_index. I want to see the attempts over 5 to change direct deposit information within Workday that are coming from unknown source IP's. We thought something like below which works except for the last part referring to the != expression. I want something more efficient anyway. Hoping someone has a few good suggestions.
index=dmc_workday_index taskDisplayName="Manage Payment Elections" | stats count by ipAddress | where (count > 5) ipAdress != "64.147.0.0/16"
you should try this
index=dmc_workday_index taskDisplayName="Manage Payment Elections" ipAddress!="64.147.0.0/16"| stats count by ipAddress | where count > 5
Is there a field called ipAdress
? and it has values in CIDR format? if not then you need to try this:
index=dmc_workday_index taskDisplayName="Manage Payment Elections" ipAddress!="64.147.*"| stats count by ipAddress | where count > 5
let me know if this helps!
you should try this
index=dmc_workday_index taskDisplayName="Manage Payment Elections" ipAddress!="64.147.0.0/16"| stats count by ipAddress | where count > 5
Is there a field called ipAdress
? and it has values in CIDR format? if not then you need to try this:
index=dmc_workday_index taskDisplayName="Manage Payment Elections" ipAddress!="64.147.*"| stats count by ipAddress | where count > 5
let me know if this helps!
That worked. Thank you so much for the quick reply.