Hi when i ran this query: "| tstats count, values(\"Authentication.tag\") as tag from datamodel=Authentication where ((nodename = Authentication.Failed_Authentication) \`hdsi_repeat_failed_log...
See more...
Hi when i ran this query: "| tstats count, values(\"Authentication.tag\") as tag from datamodel=Authentication where ((nodename = Authentication.Failed_Authentication) \`hdsi_repeat_failed_logins_alert_filter\`) groupby \"Authentication.src\", \"Authentication.dest\", \"Authentication.user\", _time span=1s | \`drop_dm_object_name(\"Authentication\")\` | eventstats sum(count) as src_count by src | eval user=lower(mvindex(split(user,\"@\"),0)) | search NOT [ search earliest=-24h@h tag=modify tag=password user=* NOT user=\"*$\" | eval user=lower(mvindex(split(user,\"@\"),0)) | dedup user | fields user ] | lookup hdsi_user_login_statistics.csv src, dest, user | eval p_fail_user = exact(failcountbyuser / totalcountbyuser) | eval p_fail_src=exact(failcountbysrc / totalcountbysrc) | where (p_fail_user < 1 AND ( p_fail_src > 0.05 OR p_fail_user > 0.1)) OR isnull(p_fail_user) | eval safeness=case(tag==\"privileged\", 0.25, tag==\"mail\", 6, tag==\"disabled_or_locked_out_authentication\", 8, tag==\"known_scanner_src\",20) | fillnull value=1 safeness | transaction maxspan=10m src,dest,user | stats values(dest) as dest, values(user) as user, sum(count) as eventcount, min(_time) as _time, max(duration) as duration, sum(safeness) as safeness, dc(dest) as dest_count by src | eval thresh = (safeness*30)/dest_count | where eventcount > thresh" Im getting this error: "type": "INFO", "text": "The limit has been reached for log messages in info.csv. 25 messages have not been written to info.csv. Refer to search.log for these messages or limits.conf to configure this limit." someone can help with that please ?