I started off with the following search which gives me failed authentication to cisco acs on a daily basis, now i want to alert when a spike occurred on either day. For example, Monday received 100 failed logins and the following monday we received 1000 failed logins, i want to alert when that occurs but i am stumped, any suggestions.
| tstats summariesonly count values(Authentication.action) as Action from datamodel="Authentication" where (index=acs Authentication.action="failure") by _time span=1day
| convert timeformat="%A %d %B" ctime(_time)
... View more