topic How to check 10 days prior to an event in Splunk for a failed login attempt? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-check-10-days-prior-to-an-event-in-Splunk-for-a-failed/m-p/634914#M220567 <P>I have a search in Splunk that returns events for failed logins. I want to be able to check for a successful authentication from a user and an IP 10 days prior to the failed login. Is this possible via a query?</P><P>index=logins<BR />| where AuthenticationResults="failed"<BR />| sort 0 - _time<BR />| eval successtime = if(AuthenticationResult=="success", _time, null())</P> Fri, 17 Mar 2023 14:09:45 GMT MM0071 2023-03-17T14:09:45Z How to check 10 days prior to an event in Splunk for a failed login attempt? https://community.splunk.com/t5/Splunk-Search/How-to-check-10-days-prior-to-an-event-in-Splunk-for-a-failed/m-p/634914#M220567 <P>I have a search in Splunk that returns events for failed logins. I want to be able to check for a successful authentication from a user and an IP 10 days prior to the failed login. Is this possible via a query?</P><P>index=logins<BR />| where AuthenticationResults="failed"<BR />| sort 0 - _time<BR />| eval successtime = if(AuthenticationResult=="success", _time, null())</P> Fri, 17 Mar 2023 14:09:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-10-days-prior-to-an-event-in-Splunk-for-a-failed/m-p/634914#M220567 MM0071 2023-03-17T14:09:45Z Re: How to check 10 days prior to an event in Splunk for a failed login attempt? https://community.splunk.com/t5/Splunk-Search/How-to-check-10-days-prior-to-an-event-in-Splunk-for-a-failed/m-p/634941#M220573 <P>OK. So there are some things that can be fixed in the first place.</P><P>1. Don't do</P><PRE>index=logins<BR />| where AuthenticationResults="failed"</PRE><P>just do</P><PRE>index=logins AuthenticationResults="failed"</PRE><P>With one very small caveat that there are some situations when the field is parsed out from a longer string so that it's not broken as indexed term. But generally it's much better to do it like that.</P><P>But in your case since you want all types of results, that condition is not needed anyway.</P><P>2. Reverse sorting by _time is completely unneeded since Splunk by default returns data this way.</P><P>3. OK. So you want to find all logins, regardless of their state</P><PRE>index=logins (and any further conditions that can narrow your results to<BR />just logins in case you have other data in that index)</PRE><P>Then you want to find the times of failed logins. First create an additional field which will exist only for those failed logins</P><PRE>| eval failedlogintime=if(AuthenticationResult=="failed",_time,null())</PRE><P>Then for each event find when was the latest failed login</P><PRE>| streamstats latest(failedlogintime) as failedlogintime by user IP</PRE><P>Now you can only filter out those which are longer than 10 days before failed login</P><PRE>| where failedlogintime-_time&lt;=864000</PRE><P>&nbsp;</P> Fri, 17 Mar 2023 15:36:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-check-10-days-prior-to-an-event-in-Splunk-for-a-failed/m-p/634941#M220573 PickleRick 2023-03-17T15:36:16Z