I would like to use Kapacitor to count failed login attempts (which are events logged, we can capture with Telegraf). Then if 4 events within period let’s say 1 minute for the same account, send an email warning.
I got this partly working, with the code below:
.warn(lambda: “number_of_failed_attempts” >= failed_login_email_threshold)
.message(‘Number of failed login attempt warning’ )
But how can I reset the counter number_of_failed_attempts? I would like to reset it if there is no event arriving within X minutes from the last event.
I tried with window() and deadman() but to no good outcome yet.
Any help would be appreciated.