Hi All, I recently started a fsck repair on all buckets for a particular index on one of my clustered indexers. Unfortunately I was unaware of how long it would take to run and how long it would keep our indexer down... With that being said, im wondering what the repercussions of interrupting the processes might be?? I'm also concerned that the putty session (internet connection) that's running might time out before it completes. I'm assuming the repair would stop then? Any advice on the best moves here would be appreciated as well as any info/risks that I'd be running if interrupted or potential cluster issues afterwards. ... View more

Hi All, I've been working on a search that will give me the Account_Name of someone who has failed to login 6-10 times concurrently. I'm running into an issue where i'm seeing the accurate results when specifying 1-2 Account_Names in the query. When i try to open it up to any Account_Name i'm getting no results returned. Im dealing with a very large sourcetype and im wondering if there might be some kind of streamstats limit being reached preventing results? I'm not too familiar with the streamstats command but believe im using it correctly judging by the refined search and accurate results. My ultimate goal would be to incorporate the concurrent count into the last query listed below.    Any advice/help would be appreciated.  Search Returning Results (Accurate): | from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) (Account_Name=User1 OR Account_Name=User2) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*") | eval LoginAttemptResult=if((action="failure" OR EventCode=4625), "FAILED", "SUCCESSFUL") | streamstats count(eval(LoginAttemptResult="FAILED")) AS ConcurrentFailed BY Account_Name reset_before=signature_id=4624 reset_after=signature_id=4624 | where ConcurrentFailed >= 6 AND ConcurrentFailed <= 10 | sort Account_Name _time |table Workstation_Name,_time,signature,signature_id,Account_Name,ConcurrentFailed Search Returning Nothing: | from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*") | eval LoginAttemptResult=if((action="failure" OR EventCode=4625), "FAILED", "SUCCESSFUL") | streamstats count(eval(LoginAttemptResult="FAILED")) AS ConcurrentFailed BY Account_Name reset_before=signature_id=4624 reset_after=signature_id=4624 | where ConcurrentFailed >= 6 AND ConcurrentFailed <= 10 |table Workstation_Name,_time,signature,signature_id,Account_Name,ConcurrentFailed | sort Account_Name _time   Ultimate goal to get functioning (everything functioning other than streamstats "Failure_Count"): | from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*") | reverse | streamstats count(EventCode) as "Failure_Count" BY Account_Name reset_after=EventCode="4624" reset_before=EventCode="4624" | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success, values(Failure_Count) as "Failure_Count_Values" by Account_Name | where Attempts>=1 AND Success>=1 AND Failed>=6 AND Failure_Count_Values > 6.... ... View more