Inconsistency in the data every day while running ...

deepthi5 · ‎07-06-2022

index=wineventlog EventCode=4625 | search user!="sa*" AND user!="VD*" AND user_email!=""

| bucket _time span=10m

| eval minute=strftime(_time, "%M")

| eval hour=strftime(_time, "%H")

| eval day=strftime(_time, "%D")

| eval wday=strftime(_time, "%A")

| stats count(EventCode) as aantal by hour, wday, day

| rename aantal as #_failed_logins

| eval search_value = wday+"_"+hour

| table hour, day, wday, search_value, #_failed_logins, upperBound, upperBound_2stdev, upperBound_2.5stdev, upperBound_3stdev, upperBound_3.5stdev, upperBound_4stdev, twoSigmaLimit, hour_avg, hour_avg_2sig, hour_stdev, hour_stdev_2sig

Every day this query gives a different count

somesoni2 · ‎07-06-2022

Different count of rows OR different count for #_Failed_Logins?

The number of rows depends upon the availability of events in Splunk, so they may not be same every day (unless you expect same number failed logins every day occurring on same hour every day).

deepthi5 · ‎07-06-2022

Different count of #_Failed_logins

Inconsistency in the data every day while running the query report

saved search

scheduled search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!