topic Re: How to edit my search to sort by date, time, and user? in Splunk Search

How to edit my search to sort by date, time, and user?

HCadmins — Wed, 31 Aug 2016 19:54:18 GMT

Hi Splunk Answers!

I'm new to Splunk. I am trying to create a statistics table that shows our VPN users, their failed logins, and a timestamp.

My current search string is this

host=* sourcetype=UTM:system sub=auth name="Authentication failed" AND "Authentication Failed" | convert timeformat="%m-%d-%y %I:%M %p" ctime(_time) as thetime | stats list(thetime) as "Timestamp" by user

Any sorting I append to the end of that search string doesn't sort by the newest date/time. Preferably, I'd like to see the top ten latest failed authentications by user.

Thanks in advance.

Re: How to edit my search to sort by date, time, and user?

somesoni2 — Wed, 31 Aug 2016 21:07:10 GMT

Give this a try

host=* sourcetype=UTM:system sub=auth name="Authentication failed" AND "Authentication Failed" | dedup 10 user | convert timeformat="%m-%d-%y %I:%M %p" ctime(_time) as thetime | stats list(thetime) as "Timestamp" by user

Re: How to edit my search to sort by date, time, and user?

HCadmins — Wed, 31 Aug 2016 21:22:50 GMT

Hi, thanks for the answer. It's still grouping the events by user and not by time.

Re: How to edit my search to sort by date, time, and user?

somesoni2 — Wed, 31 Aug 2016 21:33:49 GMT

The query should be showing top 10 latest failed (generated by dedup) authentication entries for every user, as per your requirement. If the sorting of the Timestamp is off, then try this

host=* sourcetype=UTM:system sub=auth name="Authentication failed" AND "Authentication Failed" | dedup 10 user  | stats list(_time) as "Timestamp" by user | eval Timestamp=mvsort(Timestamp)| convert timeformat="%m-%d-%y %I:%M %p" ctime(Timestamp) as Timestamp

Re: How to edit my search to sort by date, time, and user?

somesoni2 — Wed, 31 Aug 2016 21:34:11 GMT

Or provide some sample expected output and current output?

Re: How to edit my search to sort by date, time, and user?

HCadmins — Wed, 31 Aug 2016 21:41:16 GMT

Hi, and thanks again for your help. I've attached a screenshot of the output. What it appears to be doing is listing the users alphabetically, and then each user's latest failed logins. I was hoping to get the latest failed logins, and their associated user.

Re: How to edit my search to sort by date, time, and user?

sundareshr — Wed, 31 Aug 2016 22:06:37 GMT

Try this

host=* sourcetype=UTM:system sub=auth name="Authentication failed" AND "Authentication Failed" | convert timeformat="%m-%d-%y %I:%M %p" ctime(_time) as thetime | sort thetime | streamstats count by user | where count<=10 | stats list(thetime) as "Timestamp" by user

Re: How to edit my search to sort by date, time, and user?

HCadmins — Wed, 31 Aug 2016 22:12:41 GMT

Hi, and thanks. This string gives the same result as the above result. It lists users alphabetically, then their associated failed logins by time. I'm interested in the 10 most recent failed login attempts and their associated users.

Re: How to edit my search to sort by date, time, and user?

somesoni2 — Wed, 31 Aug 2016 22:14:38 GMT

It may be simple as this.

 host=* sourcetype=UTM:system sub=auth name="Authentication failed" AND "Authentication Failed" | head 10 | table user _time | eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p") | table user Timestamp

Re: How to edit my search to sort by date, time, and user?

HCadmins — Thu, 01 Sep 2016 17:26:44 GMT

Okay, I think that worked. Thank you for your help!