I have a daily error report for failed login. Its very easy one:
'user not found | append [search \"invalid password\"] | append [search \"invalid username\"] | stats count by sourcetype'
I made a scheduled report. It emails me as:
I want to change it so that it emails me for each query term rather than sourcetype. How to do that?
I think that per-result alerting will help you achieve your goal.