All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to track if someone is trying to log in every X minutes or seconds as if programmed to do so?

summitsplunk
Communicator
‎05-01-2018 11:24 AM

My query looks like this:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
|stats count by src_user,src,action

How would I check if this query produces results on an X timeframe like every 10min?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-01-2018 11:52 AM

Like this, for rigid buckets:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| bin span=10m _time
| stats count BY src_user, src, action, _time

OR this for a sliding window:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| streamstats time_window=600 count BY src_user, src, action

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-01-2018 11:52 AM

Like this, for rigid buckets:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| bin span=10m _time
| stats count BY src_user, src, action, _time

OR this for a sliding window:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| streamstats time_window=600 count BY src_user, src, action
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎05-01-2018 12:23 PM

streamstats and eventstats command are the two which give me hard times everytime 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...