I am running the following search looking for a user who logins in from multiple cities within a five minute time period.
index=foo
| bin span=5m _time
| dedup src
| iplocation src
| stats count by _time City src user
| sort -count
| stats list(_raw) as event, values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user
| where City_Count > 3
| sort -Total
| table _time user City IP
Is there a way to add syntax to create a table at the end of the search that lists the raw events associated with any of the results returned?
Thx
↧