The docs on the streamstats command say that "all accumulated statistics" are reset on reset_* options. That would imply that the reset is global, not on a per "by-field(s)" basis. It could call for docs feedback to make it more explicitly stated. The practical solution to this you already got from @ITWhisperer 🙂 ... View more

You can use the sub-search method where the sub-search would detect password spray and pass the attempted source_ip and username combination to the main search which detects the successful logins. index = auth0 <successful login condition here> [ search index = auth0 <login attempts condition here> | eventstats dc(data.user_name) as unique_accounts by data.ip | where unique_accounts>10 | table data.ip,data.user_name ] | stats count by data.user_name,data.ip,<result,_time> #NOTE: <...> variable block   ... View more

1) Datamodel acceleration is 100%.  2) With summariesonly=false option I got the same result. Action field did not populate.  ... View more

The field extractor may not like the escaped quote. ... View more

If you're using indexer discovery, the DMC on the Master will show you the entire list of forwarders, including those sending internal logs. ... View more

Can you explain where do I add it in order for that to be an Alert? ... View more

Cool. Glad it helped! ... View more