I have been trying to look at statistical figures for failed login attempts over a 30 day period for each user by the hostname. I can get a table showing every failed attempt but want to condense that down to show a total count of failed attempts and an avg/day, my thinking being that it could be useful to identify attempts to do slow brute forcing from credential stuffing attacks. This is what I have tried so far: index=wineventlog EventCode=4625 | search signature="User name is correct but the password is wrong" | eventstats count(TargetUserName) by hostname as Total_Count | eventstats avg(Total_Count) as Avg_Count | table TargetUserName, hostname, Total_Count, Avg_Count | sort TargetUserName but this ends up giving me the username and hostname but the total and avg fields are blank. Any ideas on how to do this better? Thanks, Maxy
... View more