I would like to return a chart that has
LOGIN SUCCESS
LOGIN FAILURE
and TOTAL LOGIN ATTEMPTS.
In my logs I return raw text of LOGIN SUCCESS and LOGIN FAILURE.
I can search and return everything with "LOGIN" and chart that over time. How do I then subsearch for the raw text in those results for "SUCCESS" and separately "FAILURE" and return the count of all three in a timechart. (the top line - all login, should equal the total of the SUCCESS and FAILURE).
I am looking to produce this for trending to spot anomalies.
Essentially
... AND ("LOGIN SUCCESS" OR "LOGIN FAILURE") |timechart count
but how do I get this to return as two separate count lines?
... View more