Hi,
i can not uses second table options, as i require raw event.
First can be used, i need to try out.
I feel no issue with search result, as we are getting alert properly when the bad login happens.
Only thing is the report that comes in the mail does not have all raw event.
If there is a 5 bad login event, im expecting raw event of 5 line in the mail.
FYI, The following is my search queries, i have search queries with required fields, nothing more than that.
my_base_search_with_fields
It runs every 5 min, and Alert condition is If number of event is greater than 2 . Alert mode is once per result with throttling of 5 min and Field throttling with my fields (User,Server,IP).
When i use these throttling field i get only one raw event in mail when bad login happens and at the same time when i see the result it shows all the events properly.
I just want to know how do i get a all raw event in mail when throttling field is used???
... View more