index=windows "fail" | stats count by user | where count >4
This query is absolutely working as expected for my alert and i will trigger the condition for 5 min and problem resolved, but i want more information to it. LIke the time, host, message, field1, field2.
Stats is not helping me with that, eventstats will give me individual events whereas i want the count. Is there any other way other than using stats to accomplish this or can i work it out with stats,
... View more