Rolling authentication failures by device over 1 minute windows

April 8, 2019•27 words

|tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication where  Authentication.action="failure" by _time Authentication.dest span=1s 
| rename Authentication.* AS * 
| streamstats time_window=1m sum(count) AS dest_failures by dest

Subscribe to the author's posts

You'll only receive email when they publish something new.