automine

Rolling authentication failures by device over 1 minute windows

April 8, 201927 words

|tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication where  Authentication.action="failure" by _time Authentication.dest span=1s 
| rename Authentication.* AS * 
| streamstats time_window=1m sum(count) AS dest_failures by dest

You'll only receive email when they publish something new.

More from automine