Deployment Architecture

How to count similar events per 5 minutes in a 60 minute search?

ZacEsa
Communicator

Hi, I'm trying to have a table of failed login attempts. The table shows all failed login attempts for the last 60 minutes but, I want to group similar attempts by device, username used, attempt from and reason for failure.

I've already managed to group them but, I don't want the table to show the count for similar events for the last 60 minutes. Instead, I want it to group by similar events for last 5 minutes WHILE showing all the attempts for the last 60 minutes. I'm not even sure this is possible. I tried bucket _time span=5m but, it still groups by the whole 60 minutes. Here's what I have so far;

stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason
 | table _time acddev acduser acdfrom acdreason count
 | sort -_time

EDIT: I've managed to get the bucket to work by changing stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason to stats count by _time, acddev, acduser, acdfrom, acdreason but, I don't want to show the time in 5 minute intervals, I want to show the time of the latest attempt in that group of events. Is this possible?

0 Karma
1 Solution

sundareshr
Legend

Try this

| bin _time span=5m 
| stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason
| table _time "latest login" acddev acduser acdfrom acdreason count
| sort -_time

View solution in original post

sundareshr
Legend

Try this

| bin _time span=5m 
| stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason
| table _time "latest login" acddev acduser acdfrom acdreason count
| sort -_time

ZacEsa
Communicator

Doesn't work, both _time and "latest login" gives out the same value. I believe it's because of the bin/bucket.

0 Karma

sundareshr
Legend

Have you tried transaction?

... | transaction maxspan=5m acddev, acduser, acdfrom, acdreason | table _time  acddev acduser acdfrom acdreason count
0 Karma

ZacEsa
Communicator

Transaction isn't showing the count. 😕

0 Karma

sundareshr
Legend

Transactio will create a event_count field that shows the number of events grouped together

0 Karma

ZacEsa
Communicator

Thanks! It works! Can you edit your answer and I'll accept it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...