index=wineventlog EventCode=4625 | search user!="sa*" AND user!="VD*" AND user_email!=""
| bucket _time span=10m
| eval minute=strftime(_time, "%M")
| eval hour=strftime(_time, "%H")
| eval day=s...
See more...
index=wineventlog EventCode=4625 | search user!="sa*" AND user!="VD*" AND user_email!=""
| bucket _time span=10m
| eval minute=strftime(_time, "%M")
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%D")
| eval wday=strftime(_time, "%A")
| stats count(EventCode) as aantal by hour, wday, day
| rename aantal as #_failed_logins
| eval search_value = wday+"_"+hour
| table hour, day, wday, search_value, #_failed_logins, upperBound, upperBound_2stdev, upperBound_2.5stdev, upperBound_3stdev, upperBound_3.5stdev, upperBound_4stdev, twoSigmaLimit, hour_avg, hour_avg_2sig, hour_stdev, hour_stdev_2sig
Every day this query gives a different count