Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count similar events per 5 minutes in a 60 minute search?

ZacEsa
Communicator
‎08-04-2016 06:23 PM

Hi, I'm trying to have a table of failed login attempts. The table shows all failed login attempts for the last 60 minutes but, I want to group similar attempts by device, username used, attempt from and reason for failure.

I've already managed to group them but, I don't want the table to show the count for similar events for the last 60 minutes. Instead, I want it to group by similar events for last 5 minutes WHILE showing all the attempts for the last 60 minutes. I'm not even sure this is possible. I tried bucket _time span=5m but, it still groups by the whole 60 minutes. Here's what I have so far;

stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason
 | table _time acddev acduser acdfrom acdreason count
 | sort -_time

EDIT: I've managed to get the bucket to work by changing stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason to stats count by _time, acddev, acduser, acdfrom, acdreason but, I don't want to show the time in 5 minute intervals, I want to show the time of the latest attempt in that group of events. Is this possible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-05-2016 05:37 AM

Try this

| bin _time span=5m 
| stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason
| table _time "latest login" acddev acduser acdfrom acdreason count
| sort -_time

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-05-2016 05:37 AM

Try this

| bin _time span=5m 
| stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason
| table _time "latest login" acddev acduser acdfrom acdreason count
| sort -_time
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-07-2016 05:31 PM

Doesn't work, both _time and "latest login" gives out the same value. I believe it's because of the bin/bucket.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-07-2016 06:30 PM

Have you tried transaction?

... | transaction maxspan=5m acddev, acduser, acdfrom, acdreason | table _time  acddev acduser acdfrom acdreason count
0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-07-2016 06:33 PM

Transaction isn't showing the count. 😕

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-07-2016 07:00 PM

Transactio will create a event_count field that shows the number of events grouped together

0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-08-2016 12:11 AM

Thanks! It works! Can you edit your answer and I'll accept it.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...