Getting Data In

How do you collect log within 1 hour from file log rotate?

hiepdv4
New Member

Dear all,

I have file log access /var/log/secure .
Use log rotate ( setting daily)
I need collect log login fail 3 times on 1 IP within 1 hour from file log /var/log/secure.
I used the following query:

> source="/var/log/secure" sourcetype=linux_secure process=sshd "password for" NOT pam_unix NOT Accepted earliest=-24h latest=now | rex field=_raw "(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)" | stats count by ipaddr | where count >=3

I need support collecting logs with 1 hours
Please support me.

Tags (2)
0 Karma
1 Solution

sudosplunk
Motivator

Use timechart instead of stats, ...| timechart span=1h count by ipaddr | where count>2

OR

Use bin command, index=index source=source | bin _time span=1h |...rest of the search...|stats count by ipaddr | where count >2

View solution in original post

0 Karma

sudosplunk
Motivator

Use timechart instead of stats, ...| timechart span=1h count by ipaddr | where count>2

OR

Use bin command, index=index source=source | bin _time span=1h |...rest of the search...|stats count by ipaddr | where count >2

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...