Hey bud!
This is under the assumption that you're trying to get the count of logins by distinct source
index=your_index Workload=your_workload ResultStatus=Succeeded Operation=UserLoggedIn
| spath
| bucket span=30s _time
| rename Actor{}.ID AS "Email", Actor{}.Type AS "Type"
| eval temp=mvzip(Email,Type)
| mvexpand temp
| eval Email=mvindex(split(temp,","),0)
| stats count(Email) AS logincount BY Email src _time
| search (logincount >= 3 AND Email=*@*)
| table Email src logincount _time
Hope this helps!
... View more