Getting Data In

How do you collect log within 1 hour from file log rotate?

hiepdv4
New Member

Dear all,

I have file log access /var/log/secure .
Use log rotate ( setting daily)
I need collect log login fail 3 times on 1 IP within 1 hour from file log /var/log/secure.
I used the following query:

> source="/var/log/secure" sourcetype=linux_secure process=sshd "password for" NOT pam_unix NOT Accepted earliest=-24h latest=now | rex field=_raw "(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)" | stats count by ipaddr | where count >=3

I need support collecting logs with 1 hours
Please support me.

Tags (2)
0 Karma
1 Solution

sudosplunk
Motivator

Use timechart instead of stats, ...| timechart span=1h count by ipaddr | where count>2

OR

Use bin command, index=index source=source | bin _time span=1h |...rest of the search...|stats count by ipaddr | where count >2

View solution in original post

0 Karma

sudosplunk
Motivator

Use timechart instead of stats, ...| timechart span=1h count by ipaddr | where count>2

OR

Use bin command, index=index source=source | bin _time span=1h |...rest of the search...|stats count by ipaddr | where count >2

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...