https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367052#M165281 <P>I usually search many failed logins to find a brute force attack.</P> <P>If instead you want to know which creadentials were stuffed, you can add a condition:</P> <PRE><CODE> index=your_index (MESSAGE="login" OR MESSAGE="FAILED") | stats count by USERNAME IPADDRESS | where count&gt;5 AND MESSAGE="login" </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Sun, 12 Nov 2017 11:11:42 GMT gcusello 2017-11-12T11:11:42Z https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367049#M165278 <P>Hello All,</P> <P>Sorry relativly new to splunk - and so this query may be a pile of garbage! To sumerise, i have a query here which is looking for brute force attacks against my website. The criteria is 5&gt; Unique failed attempted Users, with 1+ Successful usernames over a given time period. I would like to display as part of this query, the time at which that successful connection occurred. </P> <PRE><CODE>..... | dedup _raw,_time,source,host | dedup USERNAME,IPADDRESS | eval SuccessUSERNAME= if((MESSAGE="login"),USERNAME,"") | eval FailedUSERNAME= if((MESSAGE="FAILED"),USERNAME,"") |stats count(eval(MESSAGE="FAILED")) as FailedLogon, count(eval(MESSAGE="login")) as SuccessfulLogon, values(SuccessUSERNAME), by IPADDRESS | search FailedLogon&gt;5 SuccessfulLogon&gt;=1 </CODE></PRE> <P>Tried numerous things; suspect that a nested query would be required, but as my knowledge of splunk is very limited, and any help would be much appreciated! </P> Sun, 12 Nov 2017 10:39:07 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367049#M165278 JgTheGreat 2017-11-12T10:39:07Z https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367050#M165279 <P>Hi JgTheGreat,<BR /> why don't your try something more easy,:</P> <PRE><CODE>index=your_index (MESSAGE="login" OR MESSAGE="FAILED") | stats count by USERNAME IPADDRESS | where count&gt;5 </CODE></PRE> <P>You coulr run this search as an alarm every 5 minutes (or a smaller period).<BR /> In this way you're alerted both if there are five logfailed and one login or 5 logfailed</P> <P>Bye.<BR /> Giuseppe</P> Sun, 12 Nov 2017 10:50:32 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367050#M165279 gcusello 2017-11-12T10:50:32Z https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367051#M165280 <P>Not sure that i've fully explained the query. I'm after the number of unique accounts that are seen attempting to login over that time period. </P> <P>The query is specifically looking for credential stuffing, where the credentials were correct. Make sense?</P> Sun, 12 Nov 2017 11:00:01 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367051#M165280 JgTheGreat 2017-11-12T11:00:01Z https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367052#M165281 <P>I usually search many failed logins to find a brute force attack.</P> <P>If instead you want to know which creadentials were stuffed, you can add a condition:</P> <PRE><CODE> index=your_index (MESSAGE="login" OR MESSAGE="FAILED") | stats count by USERNAME IPADDRESS | where count&gt;5 AND MESSAGE="login" </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Sun, 12 Nov 2017 11:11:42 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Splunk-Query-Time-of-event-within-consolidate-events/m-p/367052#M165281 gcusello 2017-11-12T11:11:42Z