Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Deleted topic

attschh1
New Member
‎10-20-2016 12:26 AM

Delete

Tags (1)
0 Karma
Reply

maciep
Champion
‎10-24-2016 07:38 PM

I saw you respond to the first answer that it wasn't you wanted, so just trying to be sure we all understand exactly what you do want.....

When you say failed 3 times, do you mean 3 times in one day? Or 3 times over the entire previous month? And then depending on that answer, what do you by 3 consecutive days. So a user had a failed logon at least 3 times per day for 3 consecutive days? Or just 3 consecutive and at least 3 times over the month?

I'm also confused a bit on what you want returned. Could you elaborate a bit on what "the name of the agent and total user counts" means? And/or, given the sample data you provided, exactly what sort of results would you expect to see?

And since you do want to see agent in the results, are the failed logon requirements at the agent level too? Meaning, if a user has a logon failure 3 days in a row but 2 days are for one agent and 1 day is for another, does that count?

0 Karma
Reply

attschh1
New Member
‎10-24-2016 07:57 PM

Sorry for making you confuse.

What i want is

  • If the user failed login for 3 times and consecutively for 3 days (In any days of the month for example if this happen in 01,02,03 and 10,11,12 it will be 2 counts). Then just return the uid and the count.

We can ignore the agent part for now first.

I hope that you can understand better on what i want.

Thanks a lot for your time

0 Karma
Reply

sundareshr
Legend
‎10-20-2016 09:32 AM

See if this works

index="SM" AuthReject uid=* earliest=-30d@d | bin span=1d _time | stats count by uid _time | where count>2 | delta _time as d | transaction d uid maxevents=3
0 Karma
Reply

attschh1
New Member
‎10-24-2016 07:13 PM

Not what i wanted. But thanks a lot for your effort!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...