Please do some assistance The above search working absolutely perfect but I need to fetch only high events data NOT low events data how to add that condition.
how could we know whether the high events are not coming into splunk from which date?
index="......" source type= "........" user= "abcd113" Event Code=4625 OR Event Code=4720 OR Event Code=4722 OR Event Code=4738
| bin _time span=1h
| stats count by user, _time
| where count >6
| fields - _time
here I need to fetch high events data and how find high events are not coming from which date into splunk?
... View more