(index=infrastructure-os OR index=main) sudo "incorrect password attempt*"
| rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
| stats sum(failures) as totalFailures by user, host
| where user!="addm" AND totalFailures > 4
Notice that you can give a name to the results of the stats calculation. Once it has a field name (totalFailures), you can use it in further commands...