I want to alert when a user has a consistently high number of failed logins over a given time period - e.g. if over 3 days a user had 5 failed logins on each day the alert would trigger, but if one day had 30 failed logins and day 2 and 3 had no or very few failed logins the alert would not trigger.
I started with the following:
| timechart span=1d count by User useother=f usenull=f | timewrap 1d series=short
This would give me an output of:
User1_s0 | User1_s1 | User1_s2 | User1_s3
3 4 5 6
My current logic is:
| timechart span=1d count by User useother=f usenull=f | timewrap 1d series=short | where s0 > 10 AND s1 > 10 AND s2>10
However, that doesn't give me any results and the docs for timewrap don't show many examples of how to reference each day as it were/perform further operations on the results.
... View more
