I have a search that produces aggregated results displaying a _count field. I want to modify this search to add a new field who's value changes if the count of records is greater than a certain number. I'm not sure how to access the aggregate generated count/_count field from within the search, or if that is even possible. Search in question: (_sourceCategory=DomainController AND "Audit Failure") AND "myserver.mydomain.com" | parse ";\n\tTimeGenerated = \"*\";" as time_generated | parse "Source Network Address:\t*Source Port:" as src_ip_address nodrop | parse "Failed:*Account Name:\t\t*Account Domain:" as security_id,user_account nodrop | parse "\tComputer = \"*\";" as node | parse using public/windows/2008 | top 10 user_account,fail_reason,node,wkstation,src_ip_address by count Condition I want to add (This doesn't work): | _count > 50 ? "High":"Warning" as severity Then I would modify the last line of search to this: | top 10 user_account,fail_reason,node,wkstation,src_ip_address,severity by count Any help would be appreciated. Thanks! Mike
Please sign in to leave a comment.