So, I am going through windows logs, and have output that works for me with something like:
index=windows sourcetype="WinLog" EventCode=XXXX | stats values(Account) by host_machine
But I only want to have hast_machines, where there are more than 5 events. I don't care if there is 1 or 100 'Account' values.
I had attempted to do a subsearch, but something went sideways on that one. Anyone do something like this in the past?
↧