https://community.splunk.com/t5/Splunk-Search/Enrichment-with-sub-search-in-a-certain-time-period-by-using/m-p/559656#M158992 <P>Hi Folks,<BR /><BR /></P><P>I am trying to enrich my search with subsearch in the same time bucket/bin. The search can be found below.</P><P><STRONG>Details:</STRONG></P><P><U>Main search:</U><SPAN>&nbsp;</SPAN>looking for 5 times or more failed login attempts from an account/user. if login attempt get failed, userid doesn't show up, however if it can be successful on subsequent attempts, userid shows up in the logs.<BR /><U>Subsearch :</U><SPAN>&nbsp;</SPAN>looking for username by using userid. this username will enrich main search's username field along with the userid.&nbsp;</P><P><STRONG>Two complications:</STRONG></P><P><BR />1. userid is supposed to be unique, but not always, so both main search and subsearch should look for same time frame to create correct results.&nbsp;</P><P>2. sometimes subsearch could not find username due to the lack of successful login, in this case I want my main main search should show result without username or fill username with NULL or so.</P><P>Note: not sure the following way is proper or not. but looks working without meeting second complication mentioned above.&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><PRE>index="useractivity" event=login response.login=failed | eval temp=split(userid, ":") | eval urole=mvindex(temp,5) | bucket _time span=15m | join type=inner userid [ search index="useractivity" | eval userid_tmp=split(userid, ":") | eval userid=mvindex(userid_tmp, 0), username=mvindex(userid_tmp, 1) | bucket _time span=15m | stats latest(userid) as userid by username ] | stats values(src_ip) values(event) count(event) as total by _time user urole userid username | where total &gt;= 5</PRE> Thu, 15 Jul 2021 17:04:51 GMT splunkerer 2021-07-15T17:04:51Z https://community.splunk.com/t5/Splunk-Search/Enrichment-with-sub-search-in-a-certain-time-period-by-using/m-p/559656#M158992 <P>Hi Folks,<BR /><BR /></P><P>I am trying to enrich my search with subsearch in the same time bucket/bin. The search can be found below.</P><P><STRONG>Details:</STRONG></P><P><U>Main search:</U><SPAN>&nbsp;</SPAN>looking for 5 times or more failed login attempts from an account/user. if login attempt get failed, userid doesn't show up, however if it can be successful on subsequent attempts, userid shows up in the logs.<BR /><U>Subsearch :</U><SPAN>&nbsp;</SPAN>looking for username by using userid. this username will enrich main search's username field along with the userid.&nbsp;</P><P><STRONG>Two complications:</STRONG></P><P><BR />1. userid is supposed to be unique, but not always, so both main search and subsearch should look for same time frame to create correct results.&nbsp;</P><P>2. sometimes subsearch could not find username due to the lack of successful login, in this case I want my main main search should show result without username or fill username with NULL or so.</P><P>Note: not sure the following way is proper or not. but looks working without meeting second complication mentioned above.&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><PRE>index="useractivity" event=login response.login=failed | eval temp=split(userid, ":") | eval urole=mvindex(temp,5) | bucket _time span=15m | join type=inner userid [ search index="useractivity" | eval userid_tmp=split(userid, ":") | eval userid=mvindex(userid_tmp, 0), username=mvindex(userid_tmp, 1) | bucket _time span=15m | stats latest(userid) as userid by username ] | stats values(src_ip) values(event) count(event) as total by _time user urole userid username | where total &gt;= 5</PRE> Thu, 15 Jul 2021 17:04:51 GMT https://community.splunk.com/t5/Splunk-Search/Enrichment-with-sub-search-in-a-certain-time-period-by-using/m-p/559656#M158992 splunkerer 2021-07-15T17:04:51Z https://community.splunk.com/t5/Splunk-Search/Enrichment-with-sub-search-in-a-certain-time-period-by-using/m-p/559894#M159097 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234050">@splunkerer</a>&nbsp;,</P><P>With your permission I'll start from the beginning, with your problem statement. You wrote that "<SPAN>if login attempt get failed, userid doesn't show up" and "userid is supposed to be unique, but not always".&nbsp;</SPAN></P><P><SPAN>So how do you link between the failed login events and the following successful&nbsp;one ? by host name or some id ?</SPAN></P><P><SPAN>If possible can you share some sample dataset from your dev/QA environment&nbsp;or something similar ?</SPAN></P><P>&nbsp;</P> Sat, 17 Jul 2021 09:51:07 GMT https://community.splunk.com/t5/Splunk-Search/Enrichment-with-sub-search-in-a-certain-time-period-by-using/m-p/559894#M159097 efika 2021-07-17T09:51:07Z