https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39528#M467 <P>There are several ways, for example:</P> <PRE><CODE>search for event 4776 | transaction account maxpause=120s </CODE></PRE> <P>This will group together events for the same user as long as they are no more than two minutes apart. Any result with eventcount&gt;1 is what you're looking for.</P> <P>Alternatively, you can roll your own pseudo-transactions like this:</P> <PRE><CODE>search for event 4776 | streamstats current=f window=1 global=f last(_time) as last_time by user | where abs(last_time-_time)&lt;=120 </CODE></PRE> <P>That should run much faster than the transaction, but yields a slightly different result - what's better in your case depends on your environment.</P> Mon, 20 May 2013 10:20:52 GMT martin_mueller 2013-05-20T10:20:52Z https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39527#M466 <P>Hi, I need to search 2 failed and identical loggin attemps with 2 minutes between each other to know if someone is trying to guess the pass of a domain account.</P> <P>For example, I want to search for the Event 4776(failed loggin attempt) for the same account but only if is happening between for example 2 minutes.<BR /> How can I search this?</P> <P>Thanks in advance</P> Mon, 20 May 2013 09:52:58 GMT https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39527#M466 Silverfeyn 2013-05-20T09:52:58Z https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39528#M467 <P>There are several ways, for example:</P> <PRE><CODE>search for event 4776 | transaction account maxpause=120s </CODE></PRE> <P>This will group together events for the same user as long as they are no more than two minutes apart. Any result with eventcount&gt;1 is what you're looking for.</P> <P>Alternatively, you can roll your own pseudo-transactions like this:</P> <PRE><CODE>search for event 4776 | streamstats current=f window=1 global=f last(_time) as last_time by user | where abs(last_time-_time)&lt;=120 </CODE></PRE> <P>That should run much faster than the transaction, but yields a slightly different result - what's better in your case depends on your environment.</P> Mon, 20 May 2013 10:20:52 GMT https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39528#M467 martin_mueller 2013-05-20T10:20:52Z https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39529#M468 <P>Assuming you have the fields "EventID" and "Account" (otherwise adjust accordingly):</P> <PRE><CODE>... EventID=4776 | transaction Account maxspan=2m | search eventcount&gt;1 </CODE></PRE> Mon, 20 May 2013 10:23:36 GMT https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39529#M468 Ayn 2013-05-20T10:23:36Z https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39530#M469 <P>Ok, I have been looking and the correct code is ;<BR /> EventCode=4625<BR /> The Account field doesn't exist, there is a subfield that tracks the username that I want to look for, this is a example of the log;<BR /> <IMG src="http://i41.tinypic.com/2vb0rqs.png" alt="alt text" /></P> <P>The yellow part would be the "Account" but I don't know how to track it, and if I use <BR /> "EventCode=4625 | transaction ComputerName maxspan=2m | search eventcount&gt;1" trying to track the ComputerName field, It shows all the events, not only events happened in the last 2 minutes.</P> Mon, 20 May 2013 11:05:56 GMT https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39530#M469 Silverfeyn 2013-05-20T11:05:56Z https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39531#M470 <P>Ok, I have been looking and the correct code is ;<BR /> EventCode=4625<BR /> The Account field doesn't exist, there is a subfield that tracks the username that I want to look for, this is a example of the log;<BR /> <IMG src="http://i41.tinypic.com/2vb0rqs.png" alt="alt text" /></P> <P>The yellow part would be the "Account" but I don't know how to track it, and if I use <BR /> "EventCode=4625 | transaction ComputerName maxspan=2m | search eventcount&gt;1" trying to track the ComputerName field, It shows all the events, not only events happened in the last 2 minutes.</P> Mon, 20 May 2013 11:07:19 GMT https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39531#M470 Silverfeyn 2013-05-20T11:07:19Z https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39532#M471 <P>You can extract that field in the search like this:</P> <PRE><CODE>... | rex "Nombre de cuenta:\s*(?&lt;account&gt;\w+)" | transaction ... </CODE></PRE> <P>To make the extraction stick you can put the regular expression into a field extraction through the manager.</P> Mon, 20 May 2013 12:49:50 GMT https://community.splunk.com/t5/Alerting/How-can-I-search-for-two-same-events-with-2-minutes-between-them/m-p/39532#M471 martin_mueller 2013-05-20T12:49:50Z