- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to add reoccurring days in splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am new to splunk and not an pro in scripting, any help will be appreciated. I am trying to write a query where it will display data for reoccurring failed login attempts for a period of three days where count = or more then 50.
EG: if the user failed to login 60 times today and 10 times for the next two days - the alert should not fire but if the user failed to login 60 times today, 70 tomorrow and 55 on the third day - it should fire with the details that I ask for.
I have written the below query thus far but I am not able to figure the "3 days" part and how it should be written,
sourcetype=wineventlog:security action=failure | search daysago=3 WHERE count>50 | stats count by user,EventCode,Status,Failure_Reason | sort - count
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You were fairly close, just had your syntax slightly off, and the order of operations backwards.
.1. Run a stats to count the number of failures by user and day
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time
.2. Next, look for anything that resulted in more than 50
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50
.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user
.4. Finally you only want to alert if there are any users with a count count > 2
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2
So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You were fairly close, just had your syntax slightly off, and the order of operations backwards.
.1. Run a stats to count the number of failures by user and day
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time
.2. Next, look for anything that resulted in more than 50
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50
.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user
.4. Finally you only want to alert if there are any users with a count count > 2
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2
So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much. It works now:)
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
