Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Complex Conditional search based on time

ashutoshab
Communicator
‎07-03-2017 10:43 AM

I am a newbie in splunk and practising to learn it slowly.

I have a setup where I am forwarding logs of Windows Machine to splunk. I practise using this setup.
As a practice, I have a use case where I want to trigger an alert if there 5 Failed Logon Attempts (on windows machine) in 30 minutes (or any time range) from Same Account OR Same Network Address.

I can write the search part to identify failed Logon Attempts on windows, But failing to write the further search query.

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| stats count by host | where count>5

Now I need help regarding the Time Condition and Two subsearches where I can identify Account_Name or Network_Address to be greater than 5

0 Karma
Reply

somesoni2
Revered Legend
‎07-03-2017 11:59 AM

Try this

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| strcat Account_Name " " Network_Address Alert_Field
 | stats count by Alert_Field | where count>5
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...