Thanks for the help, it’s almost perfect. We slightly modified your query :
| stats values(cn) as cn, values(IP) as IP, values(err) as err, count(err) as err_count by dest conn
| where err!=0
Unfortunately, the condition | where err!=0 doesn’t return a result if there are error codes other than 0. For example, it could be few failed authentication followed by a successful one like in this case:
We triedto use some other conditions like |search NOT err=0 but with no success. Do you have an idea how to make it work?