Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count similar events per 5 minutes in a 60 minute search?

ZacEsa
Communicator
‎08-04-2016 06:23 PM

Hi, I'm trying to have a table of failed login attempts. The table shows all failed login attempts for the last 60 minutes but, I want to group similar attempts by device, username used, attempt from and reason for failure.

I've already managed to group them but, I don't want the table to show the count for similar events for the last 60 minutes. Instead, I want it to group by similar events for last 5 minutes WHILE showing all the attempts for the last 60 minutes. I'm not even sure this is possible. I tried bucket _time span=5m but, it still groups by the whole 60 minutes. Here's what I have so far;

stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason
 | table _time acddev acduser acdfrom acdreason count
 | sort -_time

EDIT: I've managed to get the bucket to work by changing stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason to stats count by _time, acddev, acduser, acdfrom, acdreason but, I don't want to show the time in 5 minute intervals, I want to show the time of the latest attempt in that group of events. Is this possible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-05-2016 05:37 AM

Try this

| bin _time span=5m 
| stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason
| table _time "latest login" acddev acduser acdfrom acdreason count
| sort -_time

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-05-2016 05:37 AM

Try this

| bin _time span=5m 
| stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason
| table _time "latest login" acddev acduser acdfrom acdreason count
| sort -_time
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-07-2016 05:31 PM

Doesn't work, both _time and "latest login" gives out the same value. I believe it's because of the bin/bucket.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-07-2016 06:30 PM

Have you tried transaction?

... | transaction maxspan=5m acddev, acduser, acdfrom, acdreason | table _time  acddev acduser acdfrom acdreason count
0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-07-2016 06:33 PM

Transaction isn't showing the count. 😕

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-07-2016 07:00 PM

Transactio will create a event_count field that shows the number of events grouped together

0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-08-2016 12:11 AM

Thanks! It works! Can you edit your answer and I'll accept it.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...