Hello,

i am just playing around fore a few days with LI. I am impress about the speed but i would like to use it for some security stuff and i cannot find any way to setup complex queries via the search window.

In Splunk such a query is possible. Can this achieved with LI?

| inputlookup event_id_4648_runas.csv  | convert mktime(_time) timeformat="%Y-%m-%dT%H:%M:%S.%3Q%z" | makemv Account_Name delim="," | bucket _time span=1d | stats count by _time Unprivileged_Account_Name

| eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), 'count',null))) as "count" avg(eval(if(_time<relative_time(maxtime,"-1d@d"),'count',null))) as avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),'count',null))) as stdev by "Unprivileged_Account_Name"

| eval lowerBound=(avg-stdev*2), upperBound=(avg+stdev*2)

| eval isOutlier=if(('count' < lowerBound OR 'count' > upperBound) AND num_data_samples >=7, 1, 0)

The input can be any data, in this example its a csv.

thanks for your reply.

kind regards

E.