https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633071#M219911 <P>There are 3 cases to consider: 1 OK and 2 not Ok - the last line attempts to find the 2 not OK</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%">_time</TD><TD width="25%">status</TD><TD width="25%">success time</TD></TR><TR><TD width="25%">10:20</TD><TD width="25%">success</TD><TD width="25%">10:20</TD></TR><TR><TD width="25%">10:10</TD><TD width="25%">failed</TD><TD width="25%">10:20</TD></TR></TBODY></TABLE><P>log in failed but there was a successful log in within 30 minutes</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%">_time</TD><TD width="25%">status</TD><TD width="25%">success time</TD></TR><TR><TD width="25%">09:40</TD><TD width="25%">failed</TD><TD width="25%">&nbsp;</TD></TR></TBODY></TABLE><P>log in failed but no successful log in (success time is null)</P><TABLE border="1" width="56.24999704439787%"><TBODY><TR><TD width="25%">_time</TD><TD width="25%">status</TD><TD width="25%">success time</TD></TR><TR><TD width="25%">08:20</TD><TD width="25%">success</TD><TD width="25%">08:20</TD></TR><TR><TD width="25%">07:10</TD><TD width="25%">failed</TD><TD width="25%">08:20</TD></TR></TBODY></TABLE><P>log in failed but successful log in was 70 minutes after failure</P> Thu, 02 Mar 2023 22:30:20 GMT ITWhisperer 2023-03-02T22:30:20Z https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/632620#M219767 <P>I have a search in Splunk that returns events for failed logins. I want to be able to check 30 minutes after the event for that user to see if they didn't have a successful login. I'm struggling with the second part of this search.&nbsp;<BR /><BR />index=logins<BR />| where AuthenticationResults="failed"<BR />| eval failedLogin=strftime(_time,"%x %r")</P> Thu, 02 Mar 2023 19:53:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/632620#M219767 MM0071 2023-03-02T19:53:13Z https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/632636#M219774 <P>Try something like this</P><LI-CODE lang="markup">index ... AuthenticationResult="failed" or AuthenticationResult="success" | sort 0 - _time | eval successtime = if(AuthenticationResult=="success", _time, null()) | streamstats last(successtime) as successtime by user | where AuthenticationResult=="failed" AND (isnull(successtime) OR successtime - _time &gt; 1800)</LI-CODE> Tue, 28 Feb 2023 19:04:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/632636#M219774 ITWhisperer 2023-02-28T19:04:17Z https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633043#M219901 <P>Thank you a lot for this! Can you please explain me the logic of the last line?</P> Thu, 02 Mar 2023 18:30:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633043#M219901 MM0071 2023-03-02T18:30:06Z https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633071#M219911 <P>There are 3 cases to consider: 1 OK and 2 not Ok - the last line attempts to find the 2 not OK</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%">_time</TD><TD width="25%">status</TD><TD width="25%">success time</TD></TR><TR><TD width="25%">10:20</TD><TD width="25%">success</TD><TD width="25%">10:20</TD></TR><TR><TD width="25%">10:10</TD><TD width="25%">failed</TD><TD width="25%">10:20</TD></TR></TBODY></TABLE><P>log in failed but there was a successful log in within 30 minutes</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%">_time</TD><TD width="25%">status</TD><TD width="25%">success time</TD></TR><TR><TD width="25%">09:40</TD><TD width="25%">failed</TD><TD width="25%">&nbsp;</TD></TR></TBODY></TABLE><P>log in failed but no successful log in (success time is null)</P><TABLE border="1" width="56.24999704439787%"><TBODY><TR><TD width="25%">_time</TD><TD width="25%">status</TD><TD width="25%">success time</TD></TR><TR><TD width="25%">08:20</TD><TD width="25%">success</TD><TD width="25%">08:20</TD></TR><TR><TD width="25%">07:10</TD><TD width="25%">failed</TD><TD width="25%">08:20</TD></TR></TBODY></TABLE><P>log in failed but successful log in was 70 minutes after failure</P> Thu, 02 Mar 2023 22:30:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633071#M219911 ITWhisperer 2023-03-02T22:30:20Z https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633253#M219994 <P>Thank you greatly! This is what I was looking for! Do you know what I could do to only display failed in login attempts for users who did not authenticate after the 30 minutes? Would it be as simple as changing AuthenticationResult to "failure"?</P> Fri, 03 Mar 2023 21:29:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633253#M219994 MM0071 2023-03-03T21:29:02Z https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633254#M219995 <P>That is what the where command currently does.</P> Fri, 03 Mar 2023 21:37:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-30-minutes-after-an-event-in-Splunk-for-a-failed/m-p/633254#M219995 ITWhisperer 2023-03-03T21:37:41Z