I am trying to adjust my alert to provide results with each record on a separate line. I have the following search string that counts the total records and does a subtotal. If it goes over a certain amount of records for that hour, it triggers an alert. The problem is that it does not separate each record as it should. Can someone please assist?
`sourcetype=udp:5514 host = 10.0.0.3 "D:\\Data" NOT Read NOT Permissions file=* OR (directory=* AND operation!=Read)|eval Object=if(isnull(file),directory,file)|eval Type=if(isnull(file),"Directory","File") | stats count list(Object) as whatchanged by user, operation, machine_source | rename user as User, operation as Operation, machine_source as Source, whatchanged as What_Change | sort -count | search count>100`
↧