| rest splunk_server=local /servicesNS/-/-/saved/searches | where match('action.correlationsearch.enabled',"1|(?i)true") | table title search updated
0 comments
[1]
[1]
[1]
[1]
| rest splunk_server=local /services/saved/searches | where match(search,"datamodel") and 'action.correlationsearch.enabled'=1 | fields title search | rex field=search "datamodel=(?<datamodel1\S+)" | rex field=search "datamodel:(?<datamodel2>\S+)" | rex field=search "datamodel\s\"(?<datamodel3>[^\"]+)" | eval datamodel=coalesce(datamodel1,coalesce(datamodel2,datamodel3)) | table title search datamodel
0 comments
[1]
[1]
[1]
[1]
| rest splunk_server=local /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") and match('is_scheduled',"1") and match('disabled',"0") | table title search
0 comments
[2]
[2]
[2]
[2]
| from datamodel:"Authentication"."Authentication"
| search action=failure OR action=success
| streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by user
| where action="success" and failure_count > 10 | stats values(failure_count) as failure_count by user
0 comments
[2]
[2]
[2]
[2]