Rolling authentication failures by device over 1 minute windows
April 8, 2019•27 words
|tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication where Authentication.action="failure" by _time Authentication.dest span=1s
| rename Authentication.* AS *
| streamstats time_window=1m sum(count) AS dest_failures by dest