I have three event types:
eventtype="windows_login_failed"
eventtype="duo_login_failed"
eventtype="sremote_login_failed"
I am trying to run a search in which I rename the event types to a common name:
Windows = eventtype="windows_login_failed"
DUO = eventtype="duo_login_failed"
Sremote = eventtype="sremote_login_failed"
I run the following search, but I keep getting an error message stating, 'Error in 'eval' command: The expression is malformed. Expected ).'
eventtype="windows_login_failed" OR eventtype="duo_login_failed" OR eventtype="sremote_login_failed" [| inputlookup xxx_xxx ] OR [| inputlookup yyy_yyy] | eval Source = (eventtype == windows_login_failed, "Windows"), (eventtype == sremote_login_failed, "SRemote"), (eventtype == duo_login_failed, "DUO") | stats count by myuser,Source| sort -count
Any help would be greatly appreciated
Thx
↧