- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can you help me create a search that would monitor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I hope that we are all well?
I'm working on a search to assist in monitoring one of our web portals. We'd like to identify instances where an IP Address has hit our login page, received a http status code of between 400 & 500, and then is never seen anywhere else on our site.
Would it be as simple as:
index=web_portal request=*/auth/connect/token* (status>=400 AND status<500)
| search NOT
[ search index=web_portal request!=*/auth/connect/token*
| table src_ip]
| table _time src_ip site request
Any assistance would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! So here is a search specifically for identifying users (src_ips) who have only failed login requests:
your base search | table src_ip,site,request,status
| eval is_failed_login=if(like(request,"%/auth/connect/token%") AND status>=400 AND status<500,"yes","no")
| stats count(eval(is_failed_login=="yes")) as failed_logins count(eval(is_failed_login!="yes")) as other_requests by site,src_ip
| search other_requests=0
You could save the eval expression for is_failed_login as a calculated field via Settings / Fields / Calculated fields to shorten the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! So here is a search specifically for identifying users (src_ips) who have only failed login requests:
your base search | table src_ip,site,request,status
| eval is_failed_login=if(like(request,"%/auth/connect/token%") AND status>=400 AND status<500,"yes","no")
| stats count(eval(is_failed_login=="yes")) as failed_logins count(eval(is_failed_login!="yes")) as other_requests by site,src_ip
| search other_requests=0
You could save the eval expression for is_failed_login as a calculated field via Settings / Fields / Calculated fields to shorten the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! 😄
I'm normally not too bad with SPL, but for some reason, my head has been a bit awry this week!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I believe that we are all well!
What exactly is the problem? Is your search not producing any results?
Perhaps you could post a couple of events. That would make it much easier for us to help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi whrg,
Thanks for responding! I'm hesitant to post a few events because the info could be considered on the sensitive side and redacting fields will kinda kill the event - I can attempt a more verbose expectation?
The end goal is to detect "unusual" activity on our login page. We are interested in detecting where a source IP has been seen failing to login to the logon portal, but hasn't been seen anywhere else on our site.
So a "user" has attempted to authenticate, failed, and then is never seen again.
What I'm trying to achieve with this logic is see instances where a single IP Address has only ever been seen failing to authenticate to /auth/connect/token.
I hope that this helps clear things up?
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
