https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73572#M4646 <P>Assuming you already have the src_ip field being extracted, you need a stats command to build a count. Try the following search over a relevant time period:-</P> <PRE><CODE>seclogin: "Login failed" "invalid user" | stats count by src_ip | where count&gt;20 </CODE></PRE> Thu, 27 Dec 2012 22:30:44 GMT BobM 2012-12-27T22:30:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73571#M4645 <P>Greetings,</P> <P>I am trying to setup up Splunk to count the failed login attempts on our firewall and then run a script that will login to the firewall and block said IP address.</P> <P>Currently, I have it setup to capture failed login attempts and run the default script (echo.sh) for testing purposes.</P> <P>My questions is, how do I count and pass the IP address after “from” in the log below?</P> <P>Dec 27 15:37:36 192.168.4.1 seclogin: [2012 Dec 27 15:37:36] UTM5 Login failed: invalid user sdhsdh from 192.168.4.3</P> <P>Do I have to create a field type or use the field extractor? How does either, affect Splunks outputs listed here: <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts">http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts</A></P> Thu, 27 Dec 2012 22:18:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73571#M4645 username9000 2012-12-27T22:18:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73572#M4646 <P>Assuming you already have the src_ip field being extracted, you need a stats command to build a count. Try the following search over a relevant time period:-</P> <PRE><CODE>seclogin: "Login failed" "invalid user" | stats count by src_ip | where count&gt;20 </CODE></PRE> Thu, 27 Dec 2012 22:30:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73572#M4646 BobM 2012-12-27T22:30:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73573#M4647 <P>Hi Bob,</P> <P>No I have not extracted the src_ip field. Am I to define a regular expression to extract the IP or is there a more friendly GUI approach?</P> Fri, 28 Dec 2012 14:32:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73573#M4647 username9000 2012-12-28T14:32:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73574#M4648 <P>The interactive field extractor can do this for you. <BR /> There is a quick 3min video here <A href="http://www.splunk.com/view/SP-CAAADUY">http://www.splunk.com/view/SP-CAAADUY</A><BR /> and the docs are here <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/5.0.1/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> Fri, 28 Dec 2012 14:58:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73574#M4648 BobM 2012-12-28T14:58:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73575#M4649 <P>The logs only have one IP address in them (192.168.4.3), by using the GUI will it account for IP addresses that vary in the individual octet? For example, 17.45.252.1? etc? Or do i need to edit the rex syntax? I receive an error message for entering IP addresses that are not found within the log.</P> Fri, 28 Dec 2012 16:00:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73575#M4649 username9000 2012-12-28T16:00:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73576#M4650 <P>The regex should be generic and accept any numbers.</P> Fri, 28 Dec 2012 16:10:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73576#M4650 BobM 2012-12-28T16:10:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73577#M4651 <P>I found this in another thread, seems to have done the trick.</P> <P>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"</P> <P>thx for ur help</P> Fri, 28 Dec 2012 16:20:50 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Scripting-Search-Passing-Vars/m-p/73577#M4651 username9000 2012-12-28T16:20:50Z