Hi Richgalloway, Thanks for the quick response and being willing to assist. Just to provide a bit more background, The goal is to create an alert/event if a public IP address is repeated more than 30 times. Step 1 - Working Create a new field using extract regex and name the field - Public_IP_Test The goal is to identify and capture the IP address after the string "from " (?s)from\s+(?P<Public_IP_Test>\d+\.\d+\.\d+\.\d+)\s+via\s+ssh Step 2 - Working The new field created in step 1 is available. So my query works as follows host="192.168.68.1" Public_IP_Test="*" failure my gateway: host="192.168.68.1" the new field: Public_IP_Test="*" Must include text called failure: failure At this point everything seems to be in order, when the search query is ran, I see all the logs with my gateway, containing failures and the Public_IP_Test field is capturing the IP's. If I click on the SELECTED FIELD - Public_IP_Test I am presented with a TOP 10 hosts with their IP's, as well as their count. Step 3 - Having Problems The last thing I want to add is, I want my query to display the logs only if a Public IP address has been repeated more than 30 times. In other words I will need to count the newly created field Public_IP_Test host="192.168.68.1" Public_IP_Test="*" failure | stats count as MyTestCount by Public_IP_Test | where MyTestCount > 30 This displays each Public IP and their hit count, but I am unable to save it as a query as I receive this message: You cannot base an event type on a search that includes a pipe operator or a subsearch. Additional example of the logs 9/30/20 7:02:50.000 AM system,error,critical user: login failure for user 666666 from 77.234.44.184 via ssh Public_IP_Test = 77.234.44.184host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 7:02:50.000 AM system,error,critical login failure for user 666666 from 77.234.44.184 via ssh Public_IP_Test = 77.234.44.184host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 6:13:40.000 AM system,error,critical user: login failure for user dircreate from 49.145.0.58 via ssh Public_IP_Test = 49.145.0.58host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 6:13:40.000 AM system,error,critical login failure for user dircreate from 49.145.0.58 via ssh Public_IP_Test = 49.145.0.58host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 5:39:45.000 AM system,error,critical user: login failure for user 888888 from 157.47.108.9 via ssh Public_IP_Test = 157.47.108.9host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 5:39:45.000 AM system,error,critical login failure for user 888888 from 157.47.108.9 via ssh Public_IP_Test = 157.47.108.9host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20 5:25:54.000 AM system,error,critical user: login failure for user admin from 47.27.232.96 via ssh Public_IP_Test = 47.27.232.96host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none 9/30/20
... View more