Hi Richgalloway, 

Thanks for the quick response and being willing to assist.

Just to provide a bit more background, The goal is to create an alert/event if a public IP address is  repeated more than 30 times.

Step 1 - Working
Create a new field using  extract regex and name the field - Public_IP_Test
The goal is to identify and capture the IP address after the string "from "

(?s)from\s+(?P<Public_IP_Test>\d+\.\d+\.\d+\.\d+)\s+via\s+ssh

Step 2  - Working
The new field created in step 1 is available. So my query works as follows

host="192.168.68.1" Public_IP_Test="*" failure

my gateway:  host="192.168.68.1"
the new field:  Public_IP_Test="*"
Must include text called failure: failure

At this point everything seems to be in order, when the search query is ran, I see all the logs with my gateway, containing failures and the Public_IP_Test field is  capturing the IP's.  If I click on the SELECTED FIELD - Public_IP_Test I am presented with a TOP 10 hosts with their IP's, as well as their count.

Step 3 - Having Problems 

The last thing I want to add is, I want my query to display the logs only if a Public IP address has been repeated more than 30 times.  In other words I will need to count the newly created field Public_IP_Test

host="192.168.68.1" Public_IP_Test="*" failure
| stats count as MyTestCount by Public_IP_Test
| where MyTestCount > 30

This displays each Public IP and their hit count, but I am unable to save it as a query as I receive this message: You cannot base an event type on a search that includes a pipe operator or a subsearch.

Additional example of the logs
9/30/20
7:02:50.000 AM
system,error,critical user: login failure for user 666666 from 77.234.44.184 via ssh
Public_IP_Test = 77.234.44.184host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none
9/30/20
7:02:50.000 AM
system,error,critical login failure for user 666666 from 77.234.44.184 via ssh
Public_IP_Test = 77.234.44.184host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none
9/30/20
6:13:40.000 AM
system,error,critical user: login failure for user dircreate from 49.145.0.58 via ssh
Public_IP_Test = 49.145.0.58host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none
9/30/20
6:13:40.000 AM
system,error,critical login failure for user dircreate from 49.145.0.58 via ssh
Public_IP_Test = 49.145.0.58host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none
9/30/20
5:39:45.000 AM
system,error,critical user: login failure for user 888888 from 157.47.108.9 via ssh
Public_IP_Test = 157.47.108.9host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none
9/30/20
5:39:45.000 AM
system,error,critical login failure for user 888888 from 157.47.108.9 via ssh
Public_IP_Test = 157.47.108.9host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none
9/30/20
5:25:54.000 AM
system,error,critical user: login failure for user admin from 47.27.232.96 via ssh
Public_IP_Test = 47.27.232.96host = 192.168.68.1index = mainlinecount = 1source = udp:514sourcetype = syslogtimestamp = none
9/30/20