Hello. I am trying to compute a user's login failure rate so I can pit that against their daily failure rate to see if they're staying within their expected behavior. The problem is that a user may not login everyday so something like ... | eval av=(FailedLogin/7) won't work if a user does not login everyday. Is there a way to say |eval _counter="0"
|eval if(FailedLoginForThisDay!="0") counter = counter + 1
|span -1d
|eval avg = (FailedLoginTotal/counter)
|eval if(avg < FailedLoginForThisDay) stats count by user, ipaddr, etc where I am saying iterate over a set of days and determine if a user had a failed login. If so increment the counter, do it in 1 day buckets (is there a better way?) then finally take my counter, find my true average for failed logins and if they are above their average print out their username, ip, and other stats.
... View more