I’m after a query that searches for the key words ‘exception’ AND ‘uat’ (case insensitive) and only display results if its 10 or more from 60min ago to now. Intention is for a SIEM alert to be triggered when exceptions for the secure service exceed a certain level.
Not sure what keys your logsets have, so adjust the groupby to fit your requirements for keys.
Process start activity logs used as an example
You could probably use something like:
where(/exception/i AND /uat/i)groupby(hostname,process.name)having(count>10)limit(10000)
or if you don’t want to use regex and instead want to use specific keys in your where statement
Replace “process.name” with the key that you want to target.
Second method is better when you know the keys you want to search, first is just all inclusive of every key in the log entry so might be slower or have a lower index factor.