We use Workday as our payroll system and have a Workday add-on with logs in an index called dmc_workday_index. I want to see the attempts over 5 to change direct deposit information within Workday that are coming from unknown source IP's. We thought something like below which works except for the last part referring to the != expression. I want something more efficient anyway. Hoping someone has a few good suggestions.
index=dmc_workday_index taskDisplayName="Manage Payment Elections" | stats count by ipAddress | where (count > 5) ipAdress != "64.147.0.0/16"
↧