topic Re: use stat count in Splunk Search

use stat count

sg5258 — Mon, 25 Jun 2012 10:02:57 GMT

I working on a query to pinpoint a login attempt failure on a particular network address.. hence i use a count stat on network address, here is my query

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port

however, the result is not as ideal as i want... now seems like it is counting asdasd (userName) where i want the source 10.110.12.143 being count how many time with the bucket of 15 minute regardless on what user_name

so if i do the following

source = "WinEventLog:Security"  EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port | search y >3

i only get result from user_name asdasd
Anyone can guide me on this?

  time                   source_network_Address User_Name Workstation_Name Source_Port y
  6/25/12 4:15:00.000 PM 10.110.12.143          134        SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          asdasd     SGVM-QA0012         2149    4 
  6/25/12 4:15:00.000 PM 10.110.12.143          dfsfds     SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          iojioj     SGVM-QA0012         2149    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          kjnhg      SGVM-QA0012         2257    1 
  6/25/12 4:15:00.000 PM 10.110.12.143          rtyjk      SGVM-QA0012         2257    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2118    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          admin      SGVM-QA0012         2280    1 
  6/25/12 4:30:00.000 PM 10.110.12.143          hjtyjty    SGVM-QA0012         2118    1

Re: use stat count

Ayn — Mon, 25 Jun 2012 10:12:12 GMT

If you don't want it to split by username, then why are you splitting by username?

Re: use stat count

kristian_kolb — Mon, 25 Jun 2012 10:46:31 GMT

As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.

source = "WinEventLog:Security"  EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time

UPDATE:

Would this be what you want?

source = "WinEventLog:Security"  EventCode="529"  | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address

/Kristian

Re: use stat count

sg5258 — Tue, 26 Jun 2012 01:17:50 GMT

hi,
Thanks for the suggestion..
I got your point.
However, the sample i offer is because i only test on my computer hence the network address is the same..
i require to detect ANY OF network_address, it is not particular 1 address.
But, anyway still thank you for your point.

Re: use stat count

kristian_kolb — Tue, 26 Jun 2012 07:22:38 GMT

see update above. /k

Re: use stat count

sg5258 — Tue, 26 Jun 2012 09:02:19 GMT

great!!!
thanks for the update.. it worked now!