| transactionize user_id (merge user_id, _raw join with "\n---\n")
| parse "[Action:*," as login_unsuccessful
| count by user_id, login_unsuccessful
What I'm trying to do for example if a user tries to login many times from the same id or email that I parsed then I would like to group ALL related events with that one email; and count how many times the user had unsuccessful attempts. With the current approach above I get only one count.
I can do it without the transactionize operator, which is fine, but thought its easier to see all of them grouped rather than one event at time.
Any other suggested approaches would be appreciated.
Please sign in to leave a comment.