Solved: Re: How to add reoccurring days in splunk?

majidlodhi · ‎11-28-2014

Hi All,

I am new to splunk and not an pro in scripting, any help will be appreciated. I am trying to write a query where it will display data for reoccurring failed login attempts for a period of three days where count = or more then 50.

EG: if the user failed to login 60 times today and 10 times for the next two days - the alert should not fire but if the user failed to login 60 times today, 70 tomorrow and 55 on the third day - it should fire with the details that I ask for.

I have written the below query thus far but I am not able to figure the "3 days" part and how it should be written,
sourcetype=wineventlog:security action=failure | search daysago=3 WHERE count>50 | stats count by user,EventCode,Status,Failure_Reason | sort - count

Thank you.

aholzer · ‎11-28-2014

You were fairly close, just had your syntax slightly off, and the order of operations backwards.

.1. Run a stats to count the number of failures by user and day

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time

.2. Next, look for anything that resulted in more than 50

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50

.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user

.4. Finally you only want to alert if there are any users with a count count > 2

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2

So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.

Hope this helps

View solution in original post

aholzer · ‎11-28-2014

You were fairly close, just had your syntax slightly off, and the order of operations backwards.

.1. Run a stats to count the number of failures by user and day

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time

.2. Next, look for anything that resulted in more than 50

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50

.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user

.4. Finally you only want to alert if there are any users with a count count > 2

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2

So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.

Hope this helps

majidlodhi · ‎11-28-2014

Thank you very much. It works now:)

How to add reoccurring days in splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation