Need help creating a specific search query / event

1. Describe your incident:

Hello everyone. I am trying to create an event which notifies me as soon as a user object in the AD is creating an amount of requests which is over a certain treshold (for example: I receive an e-mail if user object X has a message count of 50000 or higher shown in Graylog).

I cant seem to make it work and I am wondering if someone has created something similar and can share their search query with me.

2. Describe your environment:

Not applicable.

3. What steps have you already taken to try and solve the problem?

Tried to tinker with different winlogbeat search querys / Event IDs but couldnt find the correct way to make it work.

4. How can the community help?

Looking for help creating the correct search query.

Thanks in advance to everyone who is taking the time to help out!

You can’t find this information with a search query alone. It sounds like you will want to make an alert, specifically an aggregation alert. This will allow you to say group by the user name, and then apply a rule that when count is higher than 5000 trigger the alert. After that you just need to attach an email notification to the event.
https://go2docs.graylog.org/5-0/interacting_with_your_log_data/alerts_and_events.html

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.