Hello,
I have the following search:
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | table _time, User_Name, Group_Name, Source_IP | sort User_Name
But when I go to set the alert condition I set the custom condition to:
search User_Name >= 5
But it emails me an alert even though there is not more than 5 user names.
How can I set it so it only does it for more than 5 user names?
Thanks,
... View more