https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285441#M86363 <P>Try updated answer</P> Wed, 27 Jul 2016 19:42:29 GMT sundareshr 2016-07-27T19:42:29Z https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285438#M86360 <P>Hello,</P> <P>I'm working on a search for blackboard that will return users who have failed to log in more than 3 times in 10 minutes. I'd like to include a field telling whether or not the student successfully logged in afterward, but I'm not sure how to go about it. I have included my current search below, as well as some sample data.</P> <P>Search: </P> <PRE><CODE>index = blackboard earliest=-34h | search evt_code=2 | geoip src_ip | stats sum(evt_code) as count values(evt_name) values(evt_code) as Message values(src_ip) as "Source IP" values(src_ip_city) as City values(src_ip_region_name) as State/Region values(src_ip_country_name) as "Country Name" by duser | bin _time span=10m | sort -count | where count &gt; 2 </CODE></PRE> <P>data:</P> <PRE><CODE>timestamp=Jul 26 2016 8:00:52.312CDT|app_vend=blackboard|app_name=learn|app_ver=9.1.201510.1171621|evt_code=2|evt_name=login failed|sev=2|cat=authentication|authnprovider=_104_1|dhost=xx.xxxx.edu|outcome=failure|src_ip=xx.xx.xx.xx|duid=_20745_1|duser=duser|text=login failed|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 timestamp=Jul 26 2016 18:01:03.453 CDT|app_vend=blackboard|app_name=learn|app_ver=9.1.201510.1171621|evt_code=2|evt_name=login failed|sev=2|cat=authentication|authnprovider=_104_1|dhost=xx.xxxx.edu|outcome=failure|src_ip=xx.xx.xx.xx|duid=_20745_1|duser=duer|text=login failed|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 timestamp=Jul 26 2016 23:59:29.502 CDT|app_vend=blackboard|app_name=learn|app_ver=9.1.201510.1171621|evt_code=0|evt_name=login succeeded|sev=0|cat=authentication|authnprovider=_124_1|dhost=xx.xxxx.edu|outcome=success|src_ip=xx.xx.xx.xx|duid=_22885_1|duser=duser|text=login succeeded|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 </CODE></PRE> Wed, 27 Jul 2016 18:47:27 GMT https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285438#M86360 janderson19 2016-07-27T18:47:27Z https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285439#M86361 <P>Try this</P> <P>*<STRONG><EM>UPDATED</EM></STRONG>*</P> <PRE><CODE> index = blackboard earliest=-34h evt_code=2 OR evt_code=0 | geoip src_ip | bin _time span=10m | stats count values(evt_name) as EventName values(src_ip) as "Source IP" values(src_ip_city) as City values(src_ip_region_name) as State/Region values(src_ip_country_name) as "Country Name" by duser _time | sort -count | where count&gt;2 AND mvindex(EventName, mvcount(EventName)-1)="*Success*" </CODE></PRE> Wed, 27 Jul 2016 19:00:44 GMT https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285439#M86361 sundareshr 2016-07-27T19:00:44Z https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285440#M86362 <P>Ah, yes. Got that. I missed the end when I was copying, I guess haha. What I need help with is showing that the user eventually logged in.</P> Wed, 27 Jul 2016 19:03:42 GMT https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285440#M86362 janderson19 2016-07-27T19:03:42Z https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285441#M86363 <P>Try updated answer</P> Wed, 27 Jul 2016 19:42:29 GMT https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285441#M86363 sundareshr 2016-07-27T19:42:29Z https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285442#M86364 <P>Got this to work, in a way. I used both of our queries so that they only return a value if the user failed to log in 3 or more times in 10 minutes, and failed to log in at all. Here is the query, for future reference:</P> <PRE><CODE>set diff [ search index=blackboard AND evt_code=2 | geoip src_ip | stats sum(evt_code) as count values(evt_name) values(evt_code) as Message values(src_ip) as "Source IP" values(src_ip_city) as City values(src_ip_region_name) as State/Region values(src_ip_country_name) as "Country Name" by duser | where count &gt; 2 ] [search index=blackboard AND evt_code=2 OR evt_code=0 | geoip src_ip | stats count values(evt_name) as EventName values(src_ip) as "Source IP" values(src_ip_city) as City values(src_ip_region_name) as State/Region values(src_ip_country_name) as "Country Name" by duser _time | where count&gt;2 AND mvindex(EventName, mvcount(EventName)-1)="*Success*"] | bin _time span=10m | sort -count </CODE></PRE> Thu, 04 Aug 2016 21:55:44 GMT https://community.splunk.com/t5/Splunk-Search/need-help-editing-my-search-to-find-users-who-have-failed-to-log/m-p/285442#M86364 janderson19 2016-08-04T21:55:44Z