topic how to search same event occur four times in five minutes in Splunk Search

how to search same event occur four times in five minutes

lllidan — Tue, 15 May 2018 09:20:50 GMT

i got a mission from my manager, search the the same account login failure event occur four times in per five minutes , could you please help me or give me some suggestion ? thanks a lot, from a beginner.

Re: how to search same event occur four times in five minutes

mayurr98 — Tue, 15 May 2018 09:48:04 GMT

you can try something like this

index=<your_index> "login failure" 
| timechart span=5m count 
| where count=4

You can change the condition count=4 according to your requirement.

let me know if this helps!

Re: how to search same event occur four times in five minutes

niketn — Tue, 15 May 2018 10:58:59 GMT

@lllidan you would need to add more details around the data and fields for us to assist you better. Mask/Anonymize any sensitive information before posting.

Assuming account field is AccountName

<yourBaseSearchForLoginFailure> AccountName=*
| bin _time span=5m
| stats count as LoginFailure by _time AccountName
| where LoginFailure>=4

Re: how to search same event occur four times in five minutes

FrankVl — Tue, 15 May 2018 11:05:20 GMT

Note that this would miss cases where the 4 attempts are spread across two 5 minute windows. But it is a simple way to start.

Re: how to search same event occur four times in five minutes

FrankVl — Tue, 15 May 2018 11:30:07 GMT

To analyse this with a sliding 5 minute window (rather than simply using a timechart, or manually grouping events into 5 minute bins), you can use something like the following (adjust it to your situation):

...<your base search here>...
| streamstats count time_window=5m by user
| where count >=4

Re: how to search same event occur four times in five minutes

lllidan — Wed, 16 May 2018 06:06:28 GMT

thanks for your help, and below is my base search:

EventCode=4625 Keyword=Logon_Failed

and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.

otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?

do you have some good suggestion ?
thanks in advance.

Re: how to search same event occur four times in five minutes

mayurr98 — Wed, 16 May 2018 06:11:04 GMT

index=<your_index> EventCode=4625 Keyword=Logon_Failed | timechart span=5m count by account_name where count>=4

Re: how to search same event occur four times in five minutes

lllidan — Wed, 16 May 2018 06:16:31 GMT

thanks for your help, and below is my base search:

EventCode=4625 Keyword=Logon_Failed

and i wanna to display the Account_Name or Hostname on the column via timechart or Dashboard.

otherwise, " 4 attempts in 5 minutes" means after the first attempt , in 5 minutes occur other 3 times attempts , how can i define the 5 minutes time period after the first attempt ?

do you have some good suggestion ?
thanks in advance.

Re: how to search same event occur four times in five minutes

niketn — Wed, 16 May 2018 18:04:05 GMT

@FrankVl, I think count=4 will give all the users with 4 or more login failed in 5 minute window and that should be the where condition i.e.

| where count=4

The count>=4 will not add any value since failed attempt 1,2 and 3 will be removed.

For details | streamstats count time_window=5m by user can be used as it is possibly add a | eval Threshold=4 to see at what point of time did the failed login attempt cross 4 or more.

Re: how to search same event occur four times in five minutes

niketn — Wed, 16 May 2018 18:04:39 GMT

@FrankVl 's suggestion should do it! Try out and accept his answer if it works for you!

Re: how to search same event occur four times in five minutes

FrankVl — Thu, 17 May 2018 09:07:42 GMT

Yeah, that makes sense. doing >=4 just gives a lot of extra records for users that failed more than 4 times. Filtering for just the =4 shows the event that caused it to meet the threshold.